The Dark Side of AI: How Generating Code Could Be Dangerous for Your Business.

Developers are always looking for ways to do more with less effort. This often leads them to seek out tools that can help them be more efficient and productive. While this desire to find the best possible way of achieving a goal is admirable, it could also be seen as laziness. After all, why put in extra effort if something else can do it for you?

One of these tools is GPT-generated code, which has become increasingly popular in recent years. While this type of code can save time, it also brings several risks.

While some people are fearful that artificial intelligence (AI) will replace software developers altogether, this is not the real threat. AI can be a powerful tool to help software engineers become more efficient. Still, it cannot replace the expertise and experience only a software developer can bring to the table.

At the request of "Write the JWT middleware using RSA tokens in go language," ChatGPT generated the following code.

The code generated by ChatGPT looks good and works well as a JWT middleware using RSA tokens in the Go language. This is an impressive outcome, given the complexity of coding software that involves so many different components.

The genuine threats of AI remain veiled in the subtleties, and expertise within this field is required to make out these risks. Otherwise, a person may use code with up to five mistakes and two vulnerabilities without knowing it.

I will highlight it for you:

AI relies on old datasets, which may be up to five or even ten years out of date. This can create a problem as programming develops at an accelerating rate – AI then has the potential to output solutions based on outdated information, making them obsolete or even potentially hazardous. In some cases, this has been seen with disastrous outcomes.

As you can see on line number 7, a well-known JWT library is being used for Go. Unfortunately, this library has been deprecated due to critical security vulnerabilities that cannot be mitigated.

As of 2021, this library is no longer supported and should not be used. Although every proficient GoLang programmer knows it, Artificial Intelligence has yet to catch up. In the next 5-10 years, though, that might change!

As you can observe, it obtains an Authorization Header and attempts to utilise the value as a token. Unfortunately, this is incorrect.

Using the RFC6750 standard, tokens are identified with a "Bearer" prefix to distinguish them from other token types.

This code should check and extract the prefix before using the value to maximise efficacy.

Let's look at line number 20.

When I asked ChatGPT to generate software code for a JWT middleware using an RSA token type, it instead utilised an HMAC (Hash-based Message Authentication Code) token.

An HMAC token generates a hash value with a secret key and uses it to sign the payload. It is less secure than an RSA token as its verification process does not require a private key for signing and encryption, leaving it open to malicious attack

The biggest threat posed by AI is that software developers may trust its advice without realising how wrong it can be. This is especially true for inexperienced software developers who may take the advice of AI as gospel truth. In the example given above, inexperienced software developers may believe that the code generated by ChatGPT uses an RSA token rather than an HMAC token.

In lines 24 and 29, the code sends a status code back to the requester. While this is technically acceptable, it certainly isn't an ideal approach

Good error handling and providing more details about the errors is a best practice that software developers should strive to incorporate into their code. It is essential for software development, especially when dealing with software that involves complex components, such as a cloud-native environment. Not only does it help software developers better understand the cause of an error, but it also helps them quickly identify software bugs and fix them.

In line 34, you can see that the token is used only once to check if it is valid.

Sadly, there are a few things that could be improved in that approach.

Firstly, the validation has already been completed at line 19. The ParseWithClaims function will return an error if the token is invalid. Extra validation will not do any harm, so let's forget about this one.

The issue we are running into is that the token mentioned in this code needs to be used later in the code. The power of JWT Token lies in its payload: the so-called JWT Claims. JWT Claims provides invaluable data regarding the token and user, which is essential for authenticating and granting permissions to users.

This Middleware should pass the parsed token to the subsequent handlers. But it does not.

Here is the code, which I wrote in 15 minutes:

The code snippet could be found here.

In software development, it is important to consider the implications of AI and how it can be used in practice. While Artificial Intelligence can help software developers become more efficient, they should still exercise caution when using it as a tool. AI may make mistakes such as not following standards or using outdated libraries with security vulnerabilities.

Ultimately, software development requires a team of experts who understand the importance of effective processes for creating highly efficient products. Artificial Intelligence should be used as another tool to help software developers become more efficient, not replace them altogether.

By understanding the mistakes that AI can make and taking the necessary steps to correct them, software developers can ensure that they create secure and reliable products. As software development continues to evolve, it is essential for developers to stay up to date on the latest software development trends and keep an open mind when using AI.

PS: This text is written with the help of two AIs: Jasper AI and Grammarly.