HackerTrans
TopNewTrendsCommentsPastAskShowJobs

_mme

no profile record

Submissions

Ceiling is being raised: analyzing my typescript code that became a meme

ai88.substack.com
17 points·by _mme·há 2 anos·2 comments

Show HN: Beak.js – Custom conversational assistants for your React app

github.com
36 points·by _mme·há 3 anos·23 comments

Ask HN: Experiences with Flashcards and Learning?

2 points·by _mme·há 3 anos·0 comments

Ask HN: Best Practices for storing customer secrets?

6 points·by _mme·há 3 anos·14 comments

[untitled]

1 points·by _mme·há 3 anos·0 comments

comments

_mme
·há 3 anos·discuss
Nice project! I made Beak.js which has a similar way to connect a language model to the UI via React hooks: https://github.com/mme/beakjs
_mme
·há 3 anos·discuss
Agree!

For now, I added instructions how to run the demo.

https://github.com/mme/beakjs#run-the-demo
_mme
·há 3 anos·discuss
Exactly, that's the idea - having a backend part of the library that proxies the communication with OpenAI, keeping the API key secret.
_mme
·há 3 anos·discuss
Thank you!

This should be already possible, but it will give you a compiler error if you use Typescript. I will add support in the next version.
_mme
·há 3 anos·discuss
You don't! As mentioned in the README:

"Note: Don't expose your API key in public-facing apps. We will be adding a solution for securely using your API key soon."

I have ideas how to implement this, but I would like to get some feedback first.
_mme
·há 3 anos·discuss
Cool!

I made something similar a while ago, desktop only:

https://songmine.io/
_mme
·há 3 anos·discuss
I have to be annoying, but - if you have a token that is only valid for X seconds - you still need a token to renew the expiring token.

I have the feeling that damage control is the only option:

1) Secrets store is on different credentials

2) Decryption key is only known outside of secrets storage

3) There is a maximum number of different credentials that can be queried per day (adjustable over time)
_mme
·há 3 anos·discuss
Thank you, very useful!
_mme
·há 3 anos·discuss
> this is table stakes level security; realistically if your DB is compromised, your encryption key probably is too, because they probably got in through your application which holds the key in memory. this just prevents "oops I accidentally copied the DB somewhere and it leaked".

Good point. If the attacker gains access to e.g. a web service that needs to access the stored secrets, they will have encryption keys and DB access.

> if you have, or when you get to the point that you have, a competent ops org, just use HashiCorp Vault.

I watched a video about Vault, but I don't see how it would help. Attacker gains access to the web service which can access Vault -> Attacker downloads all API keys from Vault. Or is there something I'm missing?
_mme
·há 3 anos·discuss
Thanks, but this is about password hashing. I would like to know about storing third party customer secrets, like API keys, in the most secure way possible.

Nice website though.