API Security

The actual AI logic is placed in API Endpoints under /api/chat-gpt/functions/<endpoint>. To enforce API security, tokens are being issued on SSR render through the hook app:rendered, based on the tokenSecret in runtimeConfig. These tokens are issued for 2h validity - meaning that after 2 hours at most, the page needs to be refreshed to get a new token.

The app:rendered hook is only run on the server and therefore the secret will never be exposed to the client. The generated token is then exposed to public nuxt config and is being added to every request from the client. A server middleware validates the token and rejects the request with 403 if invalid or timed out.

The idea behind all that is, that the token is delivered alongside a page request. Therefore: no page visit, no token. This way, the API can not be used outside the app. Of course someone could visit your page, check the network tab and copy that token from the Authorization header, but since the token is only ever valid for 2 hours, there is no feasible way for an impersonator to continously use the API apart from your app.

Disabling

This behaviour can be disabled in nuxt.config via property protectAPI if you want to implement your own security strategy. See how to disable

Edit this page on GitHub

UsageText to Speech