Closed
Description
Feature Description
Hi,
I've noticed that compared to Gitea's /users/{username}/keys endpoint GitHub's SSH keys endpoint is both 1) available to unauthenticated users 2) has access-control-allow-origin: * header (so it can be queried by web browser).
Github:
$ curl -i https://api.github.com/users/castedo/ssh_signing_keys
HTTP/2 200
server: GitHub.com
date: Mon, 16 Oct 2023 09:59:53 GMT
...
access-control-allow-origin: *
strict-transport-security: max-age=31536000; includeSubdomains; preload
[
{
"id": 164688,
"key": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIQdQut465od3lkVyVW6038PcD/wSGX/2ij3RcQZTAqt",
"title": "ellersign2023",
"created_at": "2023-09-20T12:05:12.685Z"
}
]Trying the same on Gitea:
curl -X 'GET' \
'https://try.gitea.io/api/v1/users/wiktor/keys' \
-H 'accept: application/json'Yields:
{
"message": "token is required",
"url": "https://try.gitea.io/api/swagger"
}I wonder if it's possible to relax this. The keys are already publicly available in SSH format via https://try.gitea.io/wiktor.keys (but sadly that one doesn't have CORS).
My use-case is building a Keyoxide website that verifies identities but using SSH keys instead of OpenPGP. (If the keys are CORS-OK then the validation can be done purely in user's browser).
Thanks for your time! 👋
(If this sounds like a good addition I'm happy to submit a PR)
Screenshots
No response