Skip to main content

Securing the AI Chatbot

Securing your data is vital when using the Squid Client to create profiles and enable chatting. The AI chatbot's profiles and the chats conducted with them can contain sensitive information, so it's crucial to restrict access and updates to prevent unauthorized usage or modification.

Unless an AI chatbot profile has been set to public, access will be restricted by default and won't work without explicit rules that set access permissions. (Feel free to try it!)

Squid provides a @secureAiChatbot decorator that you can use to set security rules. These rules prevent unauthorized users from updating profiles or conducting unauthorized chats, protecting the integrity of your data.

tip

Before trying to secure the chatbot, make sure the public setting of the profile you want to secure is toggled to OFF and that you've set up your backend, as this will be required to set security rules for your AI chatbot.

Securing chats

Securing the ability to chat can be done easily through the @secureAiChatbot decorator. If you want to open up chat for all users, simply add the following to your backend:

import { secureAiChatbot, SquidService } from '@squidcloud/backend';

export class ExampleService extends SquidService {
  @secureAiChatbot('integration-id', 'chat') // Replace integration-id with your AI chatbot integration ID
  allowChat(): boolean {
    return true;
  }
}

Similar to other integration types, this can easily be restricted to just authenticated users, or any other kind of condition.

@secureAiChatbot('integration-id', 'chat')
allowChat(): boolean {
  return this.isAuthenticated();
}

Additionally, if you want to secure a specific profile, just add the profileId after the integration.

@secureAiChatbot('integration-id', 'chat', 'pirate')

Securing profiles

In most cases you'll want to prevent users from managing profiles on the client, and instead do all profile management (creating the profile, instructions and context) through your Backend (which will bypass security rules), or the Squid Cloud Console. To prevent profile mutations, simply add the following to your backend:

@secureAiChatbot('integration-id', 'mutate')
allowMutations(): boolean {
  return false;
}

Additionally, if you want to secure a specific profile, you can add the profileId to the decorator:

@secureAiChatbot('integration-id', 'mutate', 'pirate')

However there may be some cases where you want to allow profile management from the Squid Client. One possible case could be if you're dynamically building a profile for each user. In that case, you could do something like this:

@secureAiChatbot('integration-id', 'mutate')
async allowMutations(context: AiChatbotMutationContext): Promise<boolean> {
  const userId = this.getUserAuth()?.userId;
  if (context.profileId !== userId) return false;

  if (context.resource === 'instruction') {
    // Do not let users modify instructions.
    return false;
  } else if (context.resource === 'context') {
    // Allow users to insert context.
    return context.type === 'insert';
  } else if (context.resource === 'profile') {
    // Allow users to insert a profile, since we've verified the profileId matches the userId.
    return context.type === 'insert';
  }
  return false;
}