Clef

clefscreenshot.png

In the summer of 2024, I was contracted by a client to create a GPT-powered chatbot that was tailored and customizable. There were a few requirements: it must be intelligent; it must be customizable for the client; it must be fast; it must be secure; and it must be accessible for customers without authentication but accessible for administrators through authentication. My first task was to develop the backend. I created the backend in Python by utilizing FastAPI to develop a REST API for all functions which the secure server would need to handle (for the most part, simply the generation itself).

In order to meet the project requirements, I created a customization Python class that contained all of the necessary parameters for control over the chatbot (instructions, temperature, model, etc). This lets the client directly control their chatbot interface, add, and remove models, and push updates. Next, I moved on to the frontend. I created the frontend in React, where I handled all of the interfacing (including the storing of conversations).

For the client, privacy and security were a priority, and as such, their chatbot application needed to store zero user information. As such, the conversations are stored, handled, and managed on the frontend, and sent in the REST requests to the backend ONLY to generate a response. This stack allowed for secure generation of responses that were private to the user and their session. A simple reload of the conversation would erase the history forever–a requirement for this project. The final client requirement for this project was testing and authentication. The client planned on embedding the app into a platform that they did not fully control. This platform would handle user authentication. They wanted traffic to be permitted only for authenticated users (members of their team) and requests that came through their learning platform. As such, I made the app password protected (in a manner that can be easily shut down or rotated) for their team, but I needed to implement a security bypass for traffic from the learning platform. The initial thought was to do an HTTP-referer check to see if traffic was coming from their platform. The issue, though, is that a referer check alone would not be enough for security, as referer can be spoofed, and users with privacy extensions may block the header. Although I cannot disclose the exact security measures to remain secure, I implemented a multi-step security process that hinges on JWT tokens for authentication. The client now has a fully functioning chatbot that they can customize to their heart's desire, which they have already begun to roll out to customers.