-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update OpenAI detector #2863
Update OpenAI detector #2863
Conversation
6e49335
to
85c9275
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @rgmz for updating the open-ai detector. I've left some comments.
}() | ||
|
||
switch res.StatusCode { | ||
case 200: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rgmz previously verification was based on range of 2xx Http status. Is there any particular reason to change it ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Many of the detectors are based on a template with generic conditions. I think it's prudent to only consider something verified if it matches known/documented status codes.
Unexpected API/site changes, and thus status code changes, will propagate as an error rather than creating false-positives.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The API reference of OpenAI has well defined the error codes (also In there python library). In my opinion, Its good to parse the response but It wont make any effect on verification.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In my opinion, Its good to parse the response but It wont make any effect on verification.
I agree that parsing error codes doesn't make sense for OpenAI (although there are some APIs where 401 vs 403 is an importance difference).
I don't think it's a good practice to be liberal with what status codes are considered "valid" when only a specific one is expected. It's a recipe for false positives, imo.
if err = json.NewDecoder(res.Body).Decode(&orgs); err != nil { | ||
return false, nil, err | ||
} | ||
|
||
org := orgs.Data[0] | ||
extraData := map[string]string{ | ||
"id": org.ID, | ||
"title": org.Title, | ||
"user": org.User, | ||
"description": org.Description, | ||
"role": org.Role, | ||
"is_personal": strconv.FormatBool(org.Personal), | ||
"is_default": strconv.FormatBool(org.Default), | ||
"total_orgs": fmt.Sprintf("%d", len(orgs.Data)), | ||
} | ||
return true, extraData, nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
..these are non-fatal errors and can be ignored without affecting the verification result.
The question I posed was actually whether it makes sense to return "verified" alongside an error to indicate a potential problem with the response. Generally speaking, I think it's much safer to handle errors rather than ignore them if err == nil { ... }
.
There's a larger problem of surfacing errors and giving them precedence, but that's a different topic. e.g., the GitHub detector failing due to a DNS timeout and the JDBC detector failing because of an invalid hosts shouldn't be treated equally.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You are right that these errors should not be ignored. Unfortunately, right now, Detector result struct does not supports to hold these kind of errors (other than verification). In future, we can have separate error field(s) like @dustin-decker proposed to name it as EnrichmentError.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unfortunately, right now, Detector result struct does not supports to hold these kind of errors (other than verification).
I would still consider them verification errors. e.g., invalid JSON can be indicative of false-positives or the API not behaving as expected (#2099).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @rgmz for sharing this case study. It is valid use case to convince me. One more case came in my mind is if an API started to redirected to valid page (with status 200) with HTML in response (may be home page), It will also be indicative of false-positives.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you. LGTM
Description:
User-level API keys have been deprecated, now project-level API keys (
sk-proj-
) are the default. They have also introduced service account API keys (sk-$name-
).https://help.openai.com/en/articles/9186755-managing-your-work-in-the-api-platform-with-projects#h_20805964da
Checklist:
make test-community
)?make lint
this requires golangci-lint)?