WeWeb is a front end builder, what you build will be executed in the browser and so everything end up exposed publicly.
What do you need to secure behind your proxy ? Which API calls exactly with which api keys ?
I’m geniunly interested because I already through about how to provide such capabilities in WeWeb, there is many way like improving the REST API plugin to allow defining secure variables inside and define a syntax to inject it inside your request when you toggle the “proxy request” feature.
But I think it’s not a good pattern. In most of the case, hiding an API key is not enough and could provide a false sense of security. If all you do is proxying a request you’re still allowing anyone to use your API Key with the endpoint url and payload you want, so I would need to make the request url static to avoid someone replacing it with his own endpoint url to steal my api key. But again, even if the API key usage get restricted to the predefined static url, someone could abuse it.
Exemple => If you decide to use such a feature to send api request to OpenAI, and protect the api key by proxying the request, someone could just ping and abuse this proxy endpoint and empty your credits. So we will need to develop a way to address this like adding a configurable rate limit but then you will want to make it depend of the connected user and it will become even more complex. In reality once we open the door, what people will ask us is to provide a backend.
But what I think is there is already many backend players and we should stay focus on building the best front end builder to connect with them.
But if there is usecases where a simple proxy, only to hide an api key, is enough and where there is no risk associated with the fact the proxy endpoint will be public and can be abused, I think we could develop something. I’m just not sure encouraging such a pattern is good, many people could be tempted to see it as a shortcut instead of developing their application in a secure and robust way.