Using HTTP request in workflow, Authorization API Key is displayed in plain text on the user side, which is unacceptable

[xiaoxuan220]

Self Checks

• This is only for bug report, if you would like to ask a quesion, please head to Discussions.
• I have searched for existing issues search for existing issues, including closed ones.
• I confirm that I am using English to submit this report (我已阅读并同意 Language Policy).
• Pleas do not modify this template :) and fill in all the required fields.

Dify version

0.6.5

Cloud or Self Hosted

Self Hosted (Docker)

Steps to reproduce

When building a workflow, if the Authorization API Key in HTTP is called, it will be displayed in plain text on the user side, which I think is unsafe

✔️ Expected Behavior

Encrypt or do not display this option

❌ Actual Behavior

[dosubot]

To address the issue of the Authorization API Key being displayed in plain text when using HTTP requests in workflows, it's crucial to ensure that API keys are handled securely. For a self-hosted Dify setup, the recommended approach is to manage API keys through the backend rather than exposing them directly in the frontend or within HTTP requests. This method not only enhances security but also aligns with best practices for API key management.

In the specific context of Dify version 0.6.5, consider implementing encryption or secure handling mechanisms for the Authorization API Key. This could involve modifying the way API keys are stored and used within the web/app/components/workflow/nodes/http/components/authorization/index.tsx file. Techniques such as encrypting the API Key before storing it, using secure storage solutions, masking input fields, and moving validation logic to the server side are effective strategies. Additionally, replacing static API keys with token-based authentication mechanisms like OAuth2 can further secure your application.

Dify's existing security measures, including the use of HMAC with SHA1 for creating secure signatures, demonstrate the platform's capability for secure API key handling. By applying similar encryption methods and secure handling practices, you can prevent the Authorization API Key from being displayed in plain text, thereby enhancing the overall security of your workflows.

If you require further assistance or have additional questions, feel free to reach out.

Details

Sources

• en/user-guide/launching-dify-apps/developing-with-apis/README.md
• web/app/components/app/overview/customize/index.tsx
• web/app/components/app/overview/apikey-info-panel/index.tsx
• en/features/extension/api_based_extension/README.md
• web/app/components/workflow/nodes/http/components/authorization/index.tsx
• api/.env.example
• api/controllers/inner_api/wraps.py

About Dosu
This response is meant to be useful and save you time. It is not meant to be a precise solution, but rather a starting point for your own research.

Help me be more useful! Please leave a 👍 if this is helpful and 👎 if it is irrelevant.

To continue the conversation, mention @dosu.

[perzeuss]

@takatost @crazywoola