Merge pull request #30 from Arquisoft/fix_llmkey_exposure

Fix llmkey exposure
Arquisoft · Feb 20, 2025 · 294aaa3 · 294aaa3
2 parents 25a54d1 + b9e7e1b
commit 294aaa3
Show file tree

Hide file tree

Showing 12 changed files with 57 additions and 32 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -54,14 +54,13 @@ jobs:
       uses: elgohr/Publish-Docker-Github-Action@v5
       env:
         API_URI: http://${{ secrets.DEPLOY_HOST }}:8000
-        LLM_API_KEY: ${{ secrets.LLM_API_KEY }}
       with:
           name: arquisoft/wichat_0/webapp
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
           registry: ghcr.io
           workdir: webapp
-          buildargs: API_URI,LLM_API_KEY
+          buildargs: API_URI
   docker-push-authservice:
     name: Push auth service Docker Image to GitHub Packages
     runs-on: ubuntu-latest
@@ -112,12 +111,15 @@ jobs:
     - uses: actions/checkout@v4
     - name: Publish to Registry
       uses: elgohr/Publish-Docker-Github-Action@v5
+      env:
+        LLM_API_KEY: ${{ secrets.LLM_API_KEY }}
       with:
         name: arquisoft/wichat_0/llmservice
         username: ${{ github.actor }}
         password: ${{ secrets.GITHUB_TOKEN }}
         registry: ghcr.io
         workdir: llmservice
+        buildargs: LLM_API_KEY
 
   docker-push-gatewayservice:
     name: Push gateway service Docker Image to GitHub Packages

diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -0,0 +1,3 @@
+{
+    "postman.settings.dotenv-detection-notification-visibility": false
+}
diff --git a/README.md b/README.md
@@ -30,9 +30,9 @@ First, clone the project:
 In order to communicate with the LLM integrated in this project, we need to setup an API key. Two integrations are available in this propotipe: gemini and empaphy. The API key provided must match the LLM provider used.
 
 We need to create two .env files. 
-- The first one in the webapp directory (for executing the webapp using ```npm start```). The content of this .env file should be as follows:
+- The first one in the llmservice directory (for executing the llmservice using ```npm start```). The content of this .env file should be as follows:
 ```
-REACT_APP_LLM_API_KEY="YOUR-API-KEY"
+LLM_API_KEY="YOUR-API-KEY"
 ```
 - The second one located in the root of the project (along the docker-compose.yml). This .env file is used for the docker-compose when launching the app with docker. The content of this .env file should be as follows:
 ```

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -42,7 +42,10 @@ services:
     container_name: llmservice-wichat_0
     image: ghcr.io/arquisoft/wichat_0/llmservice:latest
     profiles: ["dev", "prod"]
-    build: ./llmservice
+    build: 
+      context: ./llmservice
+      args:
+          LLM_API_KEY: ${LLM_API_KEY}
     ports:
       - "8003:8003"
     networks:
@@ -71,10 +74,7 @@ services:
     container_name: webapp-wichat_0
     image: ghcr.io/arquisoft/wichat_0/webapp:latest
     profiles: ["dev", "prod"]
-    build: 
-      context: ./webapp
-      args:
-        LLM_API_KEY: ${LLM_API_KEY}
+    build: ./webapp
     depends_on:
       - gatewayservice
     ports:

diff --git a/llmservice/.dockerignore b/llmservice/.dockerignore
@@ -1,2 +1,3 @@
 node_modules
-coverage
+coverage
+.env
diff --git a/llmservice/Dockerfile b/llmservice/Dockerfile
@@ -10,6 +10,9 @@ COPY package*.json ./
 # Install app dependencies
 RUN npm install
 
+ARG LLM_API_KEY
+ENV LLM_API_KEY=$LLM_API_KEY
+
 # Copy the app source code to the working directory
 COPY . .
 

diff --git a/llmservice/llm-service.js b/llmservice/llm-service.js
@@ -6,6 +6,8 @@ const port = 8003;
 
 // Middleware to parse JSON in request body
 app.use(express.json());
+// Load enviornment variables
+require('dotenv').config();
 
 // Define configurations for different LLM APIs
 const llmConfigs = {
@@ -71,9 +73,14 @@ async function sendQuestionToLLM(question, apiKey, model = 'gemini') {
 app.post('/ask', async (req, res) => {
   try {
     // Check if required fields are present in the request body
-    validateRequiredFields(req, ['question', 'model', 'apiKey']);
+    validateRequiredFields(req, ['question', 'model']);
 
-    const { question, model, apiKey } = req.body;
+    const { question, model } = req.body;
+    //load the api key from an environment variable
+    const apiKey = process.env.LLM_API_KEY;
+    if (!apiKey) {
+      return res.status(400).json({ error: 'API key is missing.' });
+    }
     const answer = await sendQuestionToLLM(question, apiKey, model);
     res.json({ answer });
 

diff --git a/llmservice/llm-service.test.js b/llmservice/llm-service.test.js
@@ -1,3 +1,6 @@
+//set a fake api key
+process.env.LLM_API_KEY = 'test-api-key';
+
 const request = require('supertest');
 const axios = require('axios');
 const app = require('./llm-service'); 
@@ -22,7 +25,7 @@ describe('LLM Service', () => {
   it('the llm should reply', async () => {
     const response = await request(app)
       .post('/ask')
-      .send({ question: 'a question', apiKey: 'apiKey', model: 'gemini' });
+      .send({ question: 'a question', model: 'gemini' });
 
     expect(response.statusCode).toBe(200);
     expect(response.body.answer).toBe('llmanswer');

diff --git a/llmservice/package-lock.json b/llmservice/package-lock.json
diff --git a/llmservice/package.json b/llmservice/package.json
@@ -9,12 +9,13 @@
   "license": "ISC",
   "description": "",
   "homepage": "https://github.com/arquisoft/wichat_0#readme",
-    "dependencies": {
-        "axios": "^1.7.9",
-        "express": "^4.21.2"
-    },
-    "devDependencies": {
-        "jest": "^29.7.0",
-        "supertest": "^7.0.0"
-    }
+  "dependencies": {
+    "axios": "^1.7.9",
+    "dotenv": "^16.4.7",
+    "express": "^4.21.2"
+  },
+  "devDependencies": {
+    "jest": "^29.7.0",
+    "supertest": "^7.0.0"
+  }
 }
diff --git a/webapp/Dockerfile b/webapp/Dockerfile
@@ -7,9 +7,7 @@ WORKDIR /app
 RUN npm install --omit=dev
 
 ARG API_URI="http://localhost:8000"
-ARG LLM_API_KEY
 ENV REACT_APP_API_ENDPOINT=$API_URI
-ENV REACT_APP_LLM_API_KEY=$LLM_API_KEY
 
 #Create an optimized version of the webapp
 RUN npm run build

diff --git a/webapp/src/components/Login.js b/webapp/src/components/Login.js
@@ -14,22 +14,16 @@ const Login = () => {
   const [openSnackbar, setOpenSnackbar] = useState(false);
 
   const apiEndpoint = process.env.REACT_APP_API_ENDPOINT || 'http://localhost:8000';
-  const apiKey = process.env.REACT_APP_LLM_API_KEY || 'None';
+
 
   const loginUser = async () => {
     try {
       const response = await axios.post(`${apiEndpoint}/login`, { username, password });
 
       const question = "Please, generate a greeting message for a student called " + username + " that is a student of the Software Architecture course in the University of Oviedo. Be nice and polite. Two to three sentences max.";
       const model = "empathy"
-
-      if (apiKey==='None'){
-        setMessage("LLM API key is not set. Cannot contact the LLM.");
-      }
-      else{
-        const message = await axios.post(`${apiEndpoint}/askllm`, { question, model, apiKey })
-        setMessage(message.data.answer);
-      }
+      const message = await axios.post(`${apiEndpoint}/askllm`, { question, model })
+      setMessage(message.data.answer);
       // Extract data from the response
       const { createdAt: userCreatedAt } = response.data;