Skip to content

api: Allow unauthenticated access to user's SSH keys #30717

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

api: Allow unauthenticated access to user's SSH keys #30717

wants to merge 2 commits into from

Conversation

wiktor-k
Copy link
Contributor

This patch relaxes constraints on getting user's SSH keys via the JSON API. The same has been allowed by both GitHub and Gitlab and the output is already readable via http://domain/user.keys endpoint.

The benefit of allowing it via the API are twofold: first this is a structured output and second it can be CORS-enabled.

As a privacy precaution the Title property is set to an empty string if the request is unauthenticated.

Fixes: #30681

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Apr 26, 2024
@github-actions github-actions bot added modifies/api This PR adds API routes or modifies them modifies/go Pull requests that update Go code labels Apr 26, 2024
lunny
lunny requested changes Apr 26, 2024
View reviewed changes
@GiteaBot GiteaBot added lgtm/blocked A maintainer has reservations with the PR and thus it cannot be merged and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Apr 26, 2024
@wiktor-k
api: Allow unauthenticated access to user's SSH keys
693db80 
This patch relaxes constraints on getting user's SSH keys via the JSON
API. The same has been allowed by both GitHub and Gitlab and the output
is already readable via http://domain/user.keys endpoint.

The benefit of allowing it via the API are twofold: first this is
a structured output and second it can be CORS-enabled.

As a privacy precaution the `Title` property is set to an empty string
if the request is unauthenticated.

Fixes: go-gitea#30681
@wiktor-k wiktor-k force-pushed the allow-unauthenticated-retrieval-of-ssh-keys branch from 69afd9d to 693db80 Compare April 29, 2024 12:42
@techknowlogick techknowlogick requested a review from lunny May 22, 2024 15:06
@lunny
Copy link
Member

lunny commented May 22, 2024

I think we should just expose the id and key like what Github did. i.e. https://api.github.com/users/lunny/keys

@wiktor-k
Copy link
Contributor Author

I think we should just expose the id and key like what Github did. i.e. https://api.github.com/users/lunny/keys

There's a slight problem that the time cannot be nil'd. Although I found a way by using *time.Time I'm not sure if that's the way to follow (because it'd change the API). (I'm no go developer so excuse my basic questions).

Just for the record the API for returning "signing SSH keys" does include creation time and title: https://api.github.com/users/wiktor-k/ssh_signing_keys

@lunny
Copy link
Member

lunny commented May 28, 2024

If you don't mind, I can send some commits to your PR.

@wiktor-k
Copy link
Contributor Author

If you don't mind, I can send some commits to your PR.

I would be very glad if you could help 🙏 thank you in advance! 🙇

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lunny lunny Awaiting requested review from lunny

Assignees
No one assigned
Labels
lgtm/blocked A maintainer has reservations with the PR and thus it cannot be merged modifies/api This PR adds API routes or modifies them modifies/go Pull requests that update Go code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Consider relaxing access constraints on /api/users/{username}/keys
4 participants
@wiktor-k @lunny @techknowlogick @GiteaBot