Should there be any concern that the API key to use Chatgpt is stored openly in the database table without encryption? I was having trouble deleting mine so just went into the database table to remove it. That seemed a bit too easy.
Encrypting it would not help much because it would need to be decrypted client side in any case fro OpenAI API calls. Open to suggestions here. My thinking is that if an attacker gains access to your DB, then this opens up so many attack vectors that the battle is already lost, no matter what additional protections are there. For example, it would be trivial to implant a malicious JS code that would intercept OpenAI API calls and get the clear text key there.
I’m speaking out of my lane here but I think surecart does something special to make sure the STRIPE payment API is impossible to access, however, as they host their shopping cart they have that ability. If I recall there was some issue with the Stripe API being accessible in the Fluent Forms tables and some user being liable for the charges when the API key was copied. I know it’s a different service but it’s a wordpress security issue overall.
For now I would only be comfortable to use the API key on Pinegrow Desktop but I’d keep it off the Wordpress plugin.
One alternative is storing the key in local browser storage. Drawback is that you have to enter it in every browser where the function is used.
I would be ok with that since this would be trivial for a password manager. Having my credit card attached to the open API calls (without an option to cap the cost) was my main concern.