fix(llm): 🔐 fixed llm key leak

commit a979665
Merge: e60b874 85f9a59
Author: Pablo González <[email protected]>
Date:   Mon Feb 24 12:55:06 2025 +0100

    Merge pull request #45 from Arquisoft/fix_llmkey_exposure_v2

    Fix llmkey exposure v2

commit 85f9a59
Author: pglez82 <[email protected]>
Date:   Mon Feb 24 12:28:16 2025 +0100

    updating docker compose

commit 70ae7ed
Author: pglez82 <[email protected]>
Date:   Mon Feb 24 11:09:36 2025 +0100

    modifying readme

commit e5dd604
Author: pglez82 <[email protected]>
Date:   Mon Feb 24 11:01:33 2025 +0100

    removing api key from docker image

commit e60b874
Author: pglez82 <[email protected]>
Date:   Thu Feb 20 11:05:29 2025 +0100

    checking change

commit 294aaa3
Merge: 25a54d1 b9e7e1b
Author: Pablo González <[email protected]>
Date:   Thu Feb 20 11:04:55 2025 +0100

    Merge pull request #30 from Arquisoft/fix_llmkey_exposure

    Fix llmkey exposure

commit b9e7e1b
Author: pglez82 <[email protected]>
Date:   Mon Feb 17 23:37:11 2025 +0100

    modify readme

commit d527833
Author: pglez82 <[email protected]>
Date:   Mon Feb 17 22:59:20 2025 +0100

    fixing tests

commit 7f08852
Author: pglez82 <[email protected]>
Date:   Mon Feb 17 22:43:47 2025 +0100

    fixing api key exposure

commit 25a54d1
Author: Pablo González <[email protected]>
Date:   Mon Feb 17 19:46:15 2025 +0100

    Update Dockerfile

commit 16d7927
Author: Pablo González <[email protected]>
Date:   Mon Feb 17 19:12:41 2025 +0100

    Update Dockerfile

commit 03f29ba
Author: Pablo González <[email protected]>
Date:   Mon Feb 17 19:09:04 2025 +0100

    Update Dockerfile

commit df799ec
Author: pglez82 <[email protected]>
Date:   Fri Feb 7 12:44:19 2025 +0100

    add code to deploy

commit 54babf4
Author: pglez82 <[email protected]>
Date:   Fri Feb 7 12:31:03 2025 +0100

    updating api endpoint

Signed-off-by: Diego <[email protected]>

.github/workflows/release.yml

@@ -8,39 +8,39 @@ jobs:
   unit-tests:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
-    - uses: actions/setup-node@v4
-      with:
-        node-version: 22
-    - run: npm --prefix users/authservice ci
-    - run: npm --prefix users/userservice ci
-    - run: npm --prefix llmservice ci
-    - run: npm --prefix gatewayservice ci
-    - run: npm --prefix webapp ci
-    - run: npm --prefix users/authservice test -- --coverage
-    - run: npm --prefix users/userservice test -- --coverage
-    - run: npm --prefix llmservice test -- --coverage
-    - run: npm --prefix gatewayservice test -- --coverage
-    - run: npm --prefix webapp test -- --coverage
-    - name: Analyze with SonarCloud
-      uses: SonarSource/sonarqube-scan-action@master
-      env:
-        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+      - run: npm --prefix users/authservice ci
+      - run: npm --prefix users/userservice ci
+      - run: npm --prefix llmservice ci
+      - run: npm --prefix gatewayservice ci
+      - run: npm --prefix webapp ci
+      - run: npm --prefix users/authservice test -- --coverage
+      - run: npm --prefix users/userservice test -- --coverage
+      - run: npm --prefix llmservice test -- --coverage
+      - run: npm --prefix gatewayservice test -- --coverage
+      - run: npm --prefix webapp test -- --coverage
+      - name: Analyze with SonarCloud
+        uses: SonarSource/sonarqube-scan-action@master
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
   e2e-tests:
     needs: [unit-tests]
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
-    - uses: actions/setup-node@v4
-      with:
-        node-version: 22
-    - run: npm --prefix users/authservice install
-    - run: npm --prefix users/userservice install
-    - run: npm --prefix llmservice install
-    - run: npm --prefix gatewayservice install
-    - run: npm --prefix webapp install
-    - run: npm --prefix webapp run build
-    - run: npm --prefix webapp run test:e2e
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+      - run: npm --prefix users/authservice install
+      - run: npm --prefix users/userservice install
+      - run: npm --prefix llmservice install
+      - run: npm --prefix gatewayservice install
+      - run: npm --prefix webapp install
+      - run: npm --prefix webapp run build
+      - run: npm --prefix webapp run test:e2e
   docker-push-webapp:
     name: Push webapp Docker Image to GitHub Packages
     runs-on: ubuntu-latest
@@ -49,19 +49,18 @@ jobs:
       packages: write
     needs: [e2e-tests]
     steps:
-    - uses: actions/checkout@v4
-    - name: Publish to Registry
-      uses: elgohr/Publish-Docker-Github-Action@v5
-      env:
-        API_URI: http://${{ secrets.DEPLOY_HOST }}:8000
-        LLM_API_KEY: ${{ secrets.LLM_API_KEY }}
-      with:
+      - uses: actions/checkout@v4
+      - name: Publish to Registry
+        uses: elgohr/Publish-Docker-Github-Action@v5
+        env:
+          API_URI: http://${{ secrets.DEPLOY_HOST }}:8000
+        with:
           name: arquisoft/wichat_en1c/webapp
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
           registry: ghcr.io
           workdir: webapp
-          buildargs: API_URI,LLM_API_KEY
+          buildargs: API_URI
   docker-push-authservice:
     name: Push auth service Docker Image to GitHub Packages
     runs-on: ubuntu-latest
@@ -70,19 +69,19 @@ jobs:
       packages: write
     needs: [e2e-tests]
     steps:
-    - uses: actions/checkout@v4
-    - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v2
-    - name: Publish to Registry
-      uses: elgohr/Publish-Docker-Github-Action@v5
-      with:
+      - uses: actions/checkout@v4
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: Publish to Registry
+        uses: elgohr/Publish-Docker-Github-Action@v5
+        with:
           name: arquisoft/wichat_en1c/authservice
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
           registry: ghcr.io
           workdir: users/authservice
           platforms: linux/amd64,linux/arm64
-          
+
   docker-push-userservice:
     name: Push user service Docker Image to GitHub Packages
     runs-on: ubuntu-latest
@@ -91,15 +90,15 @@ jobs:
       packages: write
     needs: [e2e-tests]
     steps:
-    - uses: actions/checkout@v4
-    - name: Publish to Registry
-      uses: elgohr/Publish-Docker-Github-Action@v5
-      with:
-        name: arquisoft/wichat_en1c/userservice
-        username: ${{ github.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
-        registry: ghcr.io
-        workdir: users/userservice
+      - uses: actions/checkout@v4
+      - name: Publish to Registry
+        uses: elgohr/Publish-Docker-Github-Action@v5
+        with:
+          name: arquisoft/wichat_en1c/userservice
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+          registry: ghcr.io
+          workdir: users/userservice
 
   docker-push-llmservice:
     name: Push llm service Docker Image to GitHub Packages
@@ -109,15 +108,15 @@ jobs:
       packages: write
     needs: [e2e-tests]
     steps:
-    - uses: actions/checkout@v4
-    - name: Publish to Registry
-      uses: elgohr/Publish-Docker-Github-Action@v5
-      with:
-        name: arquisoft/wichat_en1c/llmservice
-        username: ${{ github.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
-        registry: ghcr.io
-        workdir: llmservice
+      - uses: actions/checkout@v4
+      - name: Publish to Registry
+        uses: elgohr/Publish-Docker-Github-Action@v5
+        with:
+          name: arquisoft/wichat_en1c/llmservice
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+          registry: ghcr.io
+          workdir: llmservice
 
   docker-push-gatewayservice:
     name: Push gateway service Docker Image to GitHub Packages
@@ -127,31 +126,38 @@ jobs:
       packages: write
     needs: [e2e-tests]
     steps:
-    - uses: actions/checkout@v4
-    - name: Update OpenAPI configuration
-      run: |
-        DEPLOY_HOST=${{ secrets.DEPLOY_HOST }}
-        sed -i "s/SOMEIP/${DEPLOY_HOST}/g" gatewayservice/openapi.yaml
-    - name: Publish to Registry
-      uses: elgohr/Publish-Docker-Github-Action@v5
-      with:
-        name: arquisoft/wichat_en1c/gatewayservice
-        username: ${{ github.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
-        registry: ghcr.io
-        workdir: gatewayservice
+      - uses: actions/checkout@v4
+      - name: Update OpenAPI configuration
+        run: |
+          DEPLOY_HOST=${{ secrets.DEPLOY_HOST }}
+          sed -i "s/SOMEIP/${DEPLOY_HOST}/g" gatewayservice/openapi.yaml
+      - name: Publish to Registry
+        uses: elgohr/Publish-Docker-Github-Action@v5
+        with:
+          name: arquisoft/wichat_en1c/gatewayservice
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+          registry: ghcr.io
+          workdir: gatewayservice
   deploy:
     name: Deploy over SSH
     runs-on: ubuntu-latest
-    needs: [docker-push-userservice,docker-push-authservice,docker-push-llmservice,docker-push-gatewayservice,docker-push-webapp]
+    needs:
+      [
+        docker-push-userservice,
+        docker-push-authservice,
+        docker-push-llmservice,
+        docker-push-gatewayservice,
+        docker-push-webapp,
+      ]
     steps:
-    - name: Deploy over SSH
-      uses: fifsky/ssh-action@master
-      with:
-        host: ${{ secrets.DEPLOY_HOST }}
-        user: ${{ secrets.DEPLOY_USER }}
-        key: ${{ secrets.DEPLOY_KEY }}
-        command: |
-          wget https://raw.githubusercontent.com/arquisoft/wichat_en1c/master/docker-compose.yml -O docker-compose.yml
-          docker compose --profile prod down
-          docker compose --profile prod up -d --pull always
+      - name: Deploy over SSH
+        uses: fifsky/ssh-action@master
+        with:
+          host: ${{ secrets.DEPLOY_HOST }}
+          user: ${{ secrets.DEPLOY_USER }}
+          key: ${{ secrets.DEPLOY_KEY }}
+          command: |
+            wget https://raw.githubusercontent.com/arquisoft/wichat_en1c/master/docker-compose.yml -O docker-compose.yml
+            docker compose --profile prod down
+            docker compose --profile prod up -d --pull always

.vscode/settings.json

@@ -0,0 +1,3 @@
+{
+    "postman.settings.dotenv-detection-notification-visibility": false
+}

README.md

@@ -37,9 +37,9 @@ First, clone the project:
 In order to communicate with the LLM integrated in this project, we need to setup an API key. Two integrations are available in this propotipe: gemini and empaphy. The API key provided must match the LLM provider used.
 
 We need to create two .env files. 
-- The first one in the webapp directory (for executing the webapp using ```npm start```). The content of this .env file should be as follows:
+- The first one in the llmservice directory (for executing the llmservice using ```npm start```). The content of this .env file should be as follows:
 ```
-REACT_APP_LLM_API_KEY="YOUR-API-KEY"
+LLM_API_KEY="YOUR-API-KEY"
 ```
 - The second one located in the root of the project (along the docker-compose.yml). This .env file is used for the docker-compose when launching the app with docker. The content of this .env file should be as follows:
 ```
@@ -48,8 +48,7 @@ LLM_API_KEY="YOUR-API-KEY"
 
 Note that these files must NOT be uploaded to the github repository (they are excluded in the .gitignore).
 
-An extra configuration for the LLM to work in the deployed version of the app is to include it as a repository secret (LLM_API_KEY). This secret will be used by GitHub Action when building and deploying the application.
-
+An extra configuration for the LLM to work in the deployed version of the app is to create the same .env file (with the LLM_API_KEY variable) in the virtual machine (in the home of the azureuser directory).
 
 ### Launching Using docker
 For launching the propotipe using docker compose, just type:

docker-compose.yml

@@ -42,7 +42,10 @@ services:
     container_name: llmservice-wichat_en1c
     image: ghcr.io/arquisoft/wichat_en1c/llmservice:latest
     profiles: ["dev", "prod"]
-    build: ./llmservice
+    env_file:
+      - .env
+    build: 
+      context: ./llmservice
     ports:
       - "8003:8003"
     networks:
@@ -71,10 +74,7 @@ services:
     container_name: webapp-wichat_en1c
     image: ghcr.io/arquisoft/wichat_en1c/webapp:latest
     profiles: ["dev", "prod"]
-    build: 
-      context: ./webapp
-      args:
-        LLM_API_KEY: ${LLM_API_KEY}
+    build: ./webapp
     depends_on:
       - gatewayservice
     ports:

llmservice/.dockerignore

@@ -1,2 +1,3 @@
 node_modules
-coverage
+coverage
+.env

llmservice/llm-service.js

@@ -6,6 +6,8 @@ const port = 8003;
 
 // Middleware to parse JSON in request body
 app.use(express.json());
+// Load enviornment variables
+require('dotenv').config();
 
 // Define configurations for different LLM APIs
 const llmConfigs = {
@@ -19,7 +21,7 @@ const llmConfigs = {
   empathy: {
     url: () => 'https://empathyai.prod.empathy.co/v1/chat/completions',
     transformRequest: (question) => ({
-      model: "qwen/Qwen2.5-Coder-7B-Instruct",
+      model: "mistralai/Mistral-7B-Instruct-v0.3",
       messages: [
         { role: "system", content: "You are a helpful assistant." },
         { role: "user", content: question }
@@ -71,9 +73,14 @@ async function sendQuestionToLLM(question, apiKey, model = 'gemini') {
 app.post('/ask', async (req, res) => {
   try {
     // Check if required fields are present in the request body
-    validateRequiredFields(req, ['question', 'model', 'apiKey']);
+    validateRequiredFields(req, ['question', 'model']);
 
-    const { question, model, apiKey } = req.body;
+    const { question, model } = req.body;
+    //load the api key from an environment variable
+    const apiKey = process.env.LLM_API_KEY;
+    if (!apiKey) {
+      return res.status(400).json({ error: 'API key is missing.' });
+    }
     const answer = await sendQuestionToLLM(question, apiKey, model);
     res.json({ answer });
 

llmservice/llm-service.test.js

@@ -1,3 +1,6 @@
+//set a fake api key
+process.env.LLM_API_KEY = 'test-api-key';
+
 const request = require('supertest');
 const axios = require('axios');
 const app = require('./llm-service'); 
@@ -22,7 +25,7 @@ describe('LLM Service', () => {
   it('the llm should reply', async () => {
     const response = await request(app)
       .post('/ask')
-      .send({ question: 'a question', apiKey: 'apiKey', model: 'gemini' });
+      .send({ question: 'a question', model: 'gemini' });
 
     expect(response.statusCode).toBe(200);
     expect(response.body.answer).toBe('llmanswer');

llmservice/package.json

@@ -9,12 +9,13 @@
   "license": "ISC",
   "description": "",
   "homepage": "https://github.com/arquisoft/wichat_en1c#readme",
-    "dependencies": {
-        "axios": "^1.7.9",
-        "express": "^4.21.2"
-    },
-    "devDependencies": {
-        "jest": "^29.7.0",
-        "supertest": "^7.0.0"
-    }
+  "dependencies": {
+    "axios": "^1.7.9",
+    "dotenv": "^16.4.7",
+    "express": "^4.21.2"
+  },
+  "devDependencies": {
+    "jest": "^29.7.0",
+    "supertest": "^7.0.0"
+  }
 }