From 69afd9dc39645ce8c96f694878275076a2cf24b3 Mon Sep 17 00:00:00 2001 From: Wiktor Kwapisiewicz Date: Fri, 26 Apr 2024 11:48:42 +0200 Subject: [PATCH] api: Allow unauthenticated access to user's SSH keys This patch relaxes constraints on getting user's SSH keys via the JSON API. The same has been allowed by both GitHub and Gitlab and the output is already readable via http://domain/user.keys endpoint. The benefit of allowing it via the API are twofold: first this is a structured output and second it can be CORS-enabled. As a privacy precaution the `Title` property is set to an empty string if the request is unauthenticated. Fixes: https://github.com/go-gitea/gitea/issues/30681 --- routers/api/v1/api.go | 8 +++++++- routers/api/v1/user/key.go | 10 ++++++++-- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go index 5358906f27d51..92502b4b1e4dc 100644 --- a/routers/api/v1/api.go +++ b/routers/api/v1/api.go @@ -916,7 +916,6 @@ func Routes() *web.Route { // Users (requires user scope) m.Group("/users", func() { m.Group("/{username}", func() { - m.Get("/keys", user.ListPublicKeys) m.Get("/gpg_keys", user.ListGPGKeys) m.Get("/followers", user.ListFollowers) @@ -931,6 +930,13 @@ func Routes() *web.Route { }, context.UserAssignmentAPI()) }, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryUser), reqToken()) + // Users SSH keys (publicly readable) + m.Group("/users", func() { + m.Group("/{username}", func() { + m.Get("/keys", user.ListPublicKeys) + }, context.UserAssignmentAPI()) + }) + // Users (requires user scope) m.Group("/user", func() { m.Get("", user.GetAuthenticatedUser) diff --git a/routers/api/v1/user/key.go b/routers/api/v1/user/key.go index d9456e7ec6087..020932594fad4 100644 --- a/routers/api/v1/user/key.go +++ b/routers/api/v1/user/key.go @@ -89,8 +89,14 @@ func listPublicKeys(ctx *context.APIContext, user *user_model.User) { apiKeys := make([]*api.PublicKey, len(keys)) for i := range keys { apiKeys[i] = convert.ToPublicKey(apiLink, keys[i]) - if ctx.Doer.IsAdmin || ctx.Doer.ID == keys[i].OwnerID { - apiKeys[i], _ = appendPrivateInformation(ctx, apiKeys[i], keys[i], user) + if ctx.Doer != nil { + if ctx.Doer.IsAdmin || ctx.Doer.ID == keys[i].OwnerID { + apiKeys[i], _ = appendPrivateInformation(ctx, apiKeys[i], keys[i], user) + } + } else { + // unauthenticated requests will not receive the title property + // to preserve privacy + apiKeys[i].Title = "" } }