How we can be sure that no one else can benefit from the azure function which integrate with Chat GPT using API key

Question

I want to install the SPfx for chat GPT from this link @ https://github.com/pnp/sp-dev-fx-webparts/tree/main/samples/react-chatgpt-app

The steps requires creating and Azure Function which will store the API key are:-

OpenAI-Azure-functions

Deploy

To deploy you can use the Azure Extensions for VSCODE , go to "WORKSPACE" and on top Options select Deploy.

Secure Azure Function App

The Azure Fucntion is secured by Authentication after deployed go to Azure and select Function App and select the Azure Function App created "OpenAIFunctionsApp"

configure authentication

Select Authentications and you have option to create a new Azure App or select a one already created.

in this sample , create a new one.

After go to CORS and add your SharePoint address.

Application Settings

The function needs to have the followed environment vars defined:

So at the end we will have an azure function which stores our secure API key. so how we can be sure that no external user can use/benefit from our azure function to create an own SPFx which call out azure function ?

Thanks

Answer 1

Hello john john

To prevent external users from using your Azure Function you have several options to consider and implement:

• authentication and authorization for your function app. This way, only authorized users can access the function app and use the secure API key. Azure Active Directory, OAuth 2.0, or other identity providers.
• Azure Function to only allow requests from specific IP addresses or require a valid token to be included in each request also IP address filtering, and other security measures to protect your Azure Function from abuse.
• Function Access Keys
  Key Comparison - https://learn.microsoft.com/en-us/azure/azure-functions/security-concepts?tabs=v4#keys-comparison
• Authorization scopes (function-level)
  Function: These keys apply only to the specific functions under which they're defined. When used as an API key, these only allow access to that function.
  Host: Keys with a host scope can be used to access all functions within the function app. When used as an API key, these allow access to any function within the function app.
• Use Azure API Management (APIM) to authenticate requests

Overall, implementing a comprehensive security strategy for your Azure Function app is essential to protect your data and prevent unauthorized access.