Consider relaxing access constraints on /api/users/{username}/keys
#30681
Comments
wiktor-k
added
the
type/proposal
lunny
added
the
proposal/accepted
|
Ideally you would fetch those in a client that does not require CORS, e.g. in the backend. |
Yes, that's a workaround I could use but the point of my solution is not using any backend services as trusted third parties but doing it all in the browser. This has a couple of benefits: it's easier to self host for others and in general is less complex. Additionally the JSON endpoint provides structured data, which is also beneficial. I'm aware that this could be worked around but given other forges already having similar rules I hope implementing unauthenticated access would just be the cleanest solution. As for the key comment maybe it can be omitted in unauthenticated requests but included in requests with tokens? I'm looking for just the key material and I'm okay with this adjustment (note that other forges just output that, as you can see in my samples above). |
I guess I would be okay if the non-authenticated API returns the exact format that github does, with the stripped comment. It should be clearly documented that this specific API has a difference whether the request is authenticated or not. |
This patch relaxes constraints on getting user's SSH keys via the JSON API. The same has been allowed by both GitHub and Gitlab and the output is already readable via http://domain/user.keys endpoint. The benefit of allowing it via the API are twofold: first this is a structured output and second it can be CORS-enabled. As a privacy precaution the `Title` property is set to an empty string if the request is unauthenticated. Fixes: go-gitea#30681
This patch relaxes constraints on getting user's SSH keys via the JSON API. The same has been allowed by both GitHub and Gitlab and the output is already readable via http://domain/user.keys endpoint. The benefit of allowing it via the API are twofold: first this is a structured output and second it can be CORS-enabled. As a privacy precaution the `Title` property is set to an empty string if the request is unauthenticated. Fixes: go-gitea#30681
|
I hope the public does not mean unauthenticated for private instances? 🤔 |
It's the same kind of access that is available through the (note no authentication tokens passed). Or maybe I misunderstood your question? |
I mean it should be still inaccessible if gitea instance is set to always require authentication ( |
Yeah, just to be crystal clear: I don't want to relax that. Just provide the same info under the same rules as |
|
PR title should be fixed that as it is quite misleading "unauthenticated access" |
Okay, what do you suggest? |
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
Feature Description
Hi,
I'm building an identity service (similar to https://keyoxide.org but based on SSH keys) and I'm looking for a way to get the keys without tokens with a CORS headers.
Just for the record both GitHub and Gitlab allow unauthenticated, CORS-ok access:
Gitlab:
$ curl -H Origin:http://example.com -i https://gitlab.com/api/v4/users/wiktor/keys HTTP/2 200 date: Wed, 24 Apr 2024 10:06:36 GMT content-type: application/json content-length: 1761 access-control-allow-methods: GET, HEAD, POST, PUT, PATCH, DELETE, OPTIONS access-control-allow-origin: * access-control-expose-headers: Link, X-Total, X-Total-Pages, X-Per-Page, X-Page, X-Next-Page, X-Prev-Page, X-Gitlab-Blob-Id, X-Gitlab-Commit-Id, X-Gitlab-Content-Sha256, X-Gitlab-Encoding, X-Gitlab-File-Name, X-Gitlab-File-Path, X-Gitlab-Last-Commit-Id, X-Gitlab-Ref, X-Gitlab-Size access-control-max-age: 7200 ... [{"id":2938736,"title":"openpgp:0x64CFEBC4","created_at":"2018-12-31T23:22:23.809Z","expires_at":null,"key":"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC50X67d9QXRVTiVgVhuKO3CbDu76yV85Cp7CRwBVmv5nwEczFweT/p5XdTARjj25PiQRv0YMFIEdrh7LDB/lSgAcoIJptfHSSJzwd6tCMyXtgujtbz47oGhmZAzKvQl8xbxlZnhjxt9tjt9nPU+P1wIBJU7aOqx9k4kX25mP5HXeFZ1qNzPetwh9h5QzB/6f26iu1U004DdR2f27kBnzUNu/bUPLUI5hiFSxSXl6Oy3/y2srCUyQiUtDDD8498PiO+OZWNaz8xvZN2lyJLjy3dDWQP5y1GaEN2Jk5TdAxP/N/fXII/vZuRMFALhWupuLoytdUL7h27fubSnA6rKbJn Wiktor Kwapisiewicz (gitlab.com)","usage_type":"auth_and_signing"},{"id":6553087,"title":"openpgp:0x0529CE0A","created_at":"2021-01-05T07:17:04.934Z","expires_at":null,"key":"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILHCXBJYlPPkrt2WYyP3SZoMx43lDBB5QALjE762EQlc Wiktor Kwapisiewicz (gitlab.com)","usage_type":"auth_and_signing"},{"id":9644651,"title":"/usr/lib/pkcs11/libtpm2_pkcs11.so.0.0.0","created_at":"2022-05-30T10:42:15.495Z","expires_at":null,"key":"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQv2RJtGurpNLWyiGz9sSuX8agzV98gHW2ZG/7vFkIQrPlaYsd/OH1z7BZNeCHs5vcoq6c2Eh5s6a0vcH4n181TKfjgpbq4t7OFNygWBJplXIZvIlsY//UCxfp5ZdKWJfrYUu/0HeEv5r/7ZcpwF/omC97aM0ipmAeQ8QEGLfgGW427ATa/r2SFwK/4h0C+BTUnMj/YC/4KI/MPWA6x7RdAw+RbVjZd4kT2ZPXcUdruSqDQ4vSP/b8gERv1IjWUn+HHteRJgR2SwNmsuuT/Ko3FRFfXxXPV2yMEvUY2+DoU781VhZJl0aqpW5bIhlK5VE5rGvmMuE5S7XwYDM9V0Wl Wiktor Kwapisiewicz (gitlab.com)","usage_type":"auth_and_signing"},{"id":9713501,"title":"tpm@radon","created_at":"2022-06-09T19:13:11.340Z","expires_at":null,"key":"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBButvOpt5qRRPazVFSfV6a4A33eXtlVkXL7x4PHr2zryw1wGb7tzpuSTZKabJaTlSZP/Jpva2caGNNtoNbXVDisOsiS4/wSa3AJ2/PmxOcpv/lZcpCynKq4zDeogo+FxrA== Wiktor Kwapisiewicz (gitlab.com)","usage_type":"auth_and_signing"}]GitHub:
Compare that with Gitea, that returns 401 (unauthenticated):
Note that the keys are already public via the other endpoint, which sadly is not CORS-enabled:
I think given what others do and the already-public aspect of the keys it would be OK to allow unauthenticated access to
https://gitea.com/api/v1/users/{username}/keysand if that sounds OK for you I'm volunteering to implement it.Screenshots
No response
The text was updated successfully, but these errors were encountered: