Add Announcing async-openai-wasm #5402
Conversation
|
Hi, I recommend reversing this merge. This crate will inevitably cost people a lot of money as it does not have any method of keeping your OpenAI API key secret (and it can never do so, as it runs exclusively clientside). Any bad actor with basic DevTools knowledge can take just take the key and use it to rack up massive bills. I also suggest adding a large disclaimer to the github repo and the crate description, so people are aware of this. |
|
@holly-hacker I think this is beyond what this crate should cover. How key secrets are stored is not the concern of this crate. Just like the official |
|
Regardless of how you think you can secure API keys clientside, it'd be irresponsible to not at least leave a disclaimer to inform people that API keys and other secrets cannot be securely stored clientside (be it in code, LocalStorage, or otherwise). Doing these API calls clientside is generally a terrible idea security-wise and should only be done if you have a very good reason, sufficient understanding of the risks involved and a solid plan on how to mitigate them. |
|
@holly-hacker Yeah, a disclaimer would be nice. But in the end, it's the responsibility of the developer who uses this crate to secure end users' valuable secrets. This crate conceptually is just a thin wrapper of You can help draft a disclaimer or best practice in the repo if you want. |
Hi this-week-in-rust,
I recently released a crate
async-openai-wasmand wrote a blog that announces it and how I make it work on WASM. I'd like it to be included in this week's release. The blog has both CN and EN versions.