Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make /users/{username}/keys endpoint more open #27642

Closed
wiktor-k opened this issue Oct 16, 2023 · 0 comments · Fixed by #28587
Closed

Make /users/{username}/keys endpoint more open #27642

wiktor-k opened this issue Oct 16, 2023 · 0 comments · Fixed by #28587
Labels
type/proposal The new feature has not been accepted yet but needs to be discussed first.

Comments

@wiktor-k
Copy link
Contributor

Feature Description

Hi,

I've noticed that compared to Gitea's /users/{username}/keys endpoint GitHub's SSH keys endpoint is both 1) available to unauthenticated users 2) has access-control-allow-origin: * header (so it can be queried by web browser).

Github:

$ curl -i https://api.github.com/users/castedo/ssh_signing_keys
HTTP/2 200 
server: GitHub.com
date: Mon, 16 Oct 2023 09:59:53 GMT
...
access-control-allow-origin: *
strict-transport-security: max-age=31536000; includeSubdomains; preload

[
  {
    "id": 164688,
    "key": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIQdQut465od3lkVyVW6038PcD/wSGX/2ij3RcQZTAqt",
    "title": "ellersign2023",
    "created_at": "2023-09-20T12:05:12.685Z"
  }
]

Trying the same on Gitea:

curl -X 'GET' \
  'https://try.gitea.io/api/v1/users/wiktor/keys' \
  -H 'accept: application/json'

Yields:

{
  "message": "token is required",
  "url": "https://try.gitea.io/api/swagger"
}

I wonder if it's possible to relax this. The keys are already publicly available in SSH format via https://try.gitea.io/wiktor.keys (but sadly that one doesn't have CORS).

My use-case is building a Keyoxide website that verifies identities but using SSH keys instead of OpenPGP. (If the keys are CORS-OK then the validation can be done purely in user's browser).

Thanks for your time! 👋

(If this sounds like a good addition I'm happy to submit a PR)

Screenshots

No response
@wiktor-k wiktor-k added the type/proposal The new feature has not been accepted yet but needs to be discussed first. label Oct 16, 2023
@wxiaoguang wxiaoguang mentioned this issue Dec 22, 2023
Merged
lunny pushed a commit that referenced this issue Dec 25, 2023
@wxiaoguang
Refactor CORS handler (#28587)
b41925c 
The CORS code has been unmaintained for long time, and the behavior is
not correct.

This PR tries to improve it. The key point is written as comment in
code. And add more tests.

Fix #28515
Fix #27642
Fix #17098
wxiaoguang added a commit to wxiaoguang/gitea that referenced this issue Dec 25, 2023
@wxiaoguang
Refactor CORS handler (go-gitea#28587)
bf95c97 
The CORS code has been unmaintained for long time, and the behavior is
not correct.

This PR tries to improve it. The key point is written as comment in
code. And add more tests.

Fix go-gitea#28515
Fix go-gitea#27642
Fix go-gitea#17098
# Conflicts:
#	tests/integration/cors_test.go
@wxiaoguang wxiaoguang mentioned this issue Dec 25, 2023
Merged
wxiaoguang added a commit that referenced this issue Dec 25, 2023
@wxiaoguang
Refactor CORS handler (#28587) (#28611)
7a2786c 
Backport #28587, the only conflict is the test file.

The CORS code has been unmaintained for long time, and the behavior is
not correct.

This PR tries to improve it. The key point is written as comment in
code. And add more tests.

Fix #28515
Fix #27642
Fix #17098
katsusan pushed a commit to katsusan/gitea that referenced this issue Dec 26, 2023
@wxiaoguang @katsusan
Refactor CORS handler (go-gitea#28587)
d88b98c 
The CORS code has been unmaintained for long time, and the behavior is
not correct.

This PR tries to improve it. The key point is written as comment in
code. And add more tests.

Fix go-gitea#28515
Fix go-gitea#27642
Fix go-gitea#17098
fuxiaohei pushed a commit to fuxiaohei/gitea that referenced this issue Jan 17, 2024
@wxiaoguang @fuxiaohei
Refactor CORS handler (go-gitea#28587)
e3ac2f9 
The CORS code has been unmaintained for long time, and the behavior is
not correct.

This PR tries to improve it. The key point is written as comment in
code. And add more tests.

Fix go-gitea#28515
Fix go-gitea#27642
Fix go-gitea#17098
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 9, 2024
silverwind pushed a commit to silverwind/gitea that referenced this issue Feb 20, 2024
@wxiaoguang @silverwind
Refactor CORS handler (go-gitea#28587)
55ae52e 
The CORS code has been unmaintained for long time, and the behavior is
not correct.

This PR tries to improve it. The key point is written as comment in
code. And add more tests.

Fix go-gitea#28515
Fix go-gitea#27642
Fix go-gitea#17098
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
type/proposal The new feature has not been accepted yet but needs to be discussed first.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Refactor CORS handler wxiaoguang/gitea
1 participant
@wiktor-k