Open wiktor-k opened 5 months ago
/<user>.keys
and /<user>.pgp
info is okay to expose. API has more metadata that some may consider sensitive like the key's comment.
Ideally you would fetch those in a client that does not require CORS, e.g. in the backend.
Ideally you would fetch those in a client that does not require CORS, e.g. in the backend.
Yes, that's a workaround I could use but the point of my solution is not using any backend services as trusted third parties but doing it all in the browser. This has a couple of benefits: it's easier to self host for others and in general is less complex.
Additionally the JSON endpoint provides structured data, which is also beneficial.
I'm aware that this could be worked around but given other forges already having similar rules I hope implementing unauthenticated access would just be the cleanest solution.
As for the key comment maybe it can be omitted in unauthenticated requests but included in requests with tokens? I'm looking for just the key material and I'm okay with this adjustment (note that other forges just output that, as you can see in my samples above).
As for the key comment maybe it can be omitted in unauthenticated requests but included in requests with tokens? I'm looking for just the key material and I'm okay with this adjustment (note that other forges just output that, as you can see in my samples above).
I guess I would be okay if the non-authenticated API returns the exact format that github does, with the stripped comment. It should be clearly documented that this specific API has a difference whether the request is authenticated or not.
I hope the public does not mean unauthenticated for private instances? 🤔
I hope the public does not mean unauthenticated for private instances? 🤔
It's the same kind of access that is available through the .keys
endpoint (but with JSON+CORS):
$ curl https://codeberg.org/lafriks.keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAB+wCwJEbmp2zS0aREkMdUGyfinYTCsb56Cprbr+Oe1WMpsuf0efBUy5ZJ0AIfsfT40elnzyxCpw2m5WlzR1TgpEOMcuB21dqhqA5L10eoWjbMXf5N2fyeKMUguBjuIwemzRj2sIQwAoDY3FWfafrUwwswtbIBkZWT4kiwXwOqsXgzkqGf+w37oP0XhxF+HliN9qwx95RVQa9322ErLlRN4tsJs0qv6XyZGmyWO934ksPCsHXuPwz2iONXUWzf9SeTSJEfQyNup++LqMaXVbTggc+fNzJM5tyDAFLxbMSdVmbey7MAeluWLe5MKlBysFnlE68nXh8aoB11gr+w1+o6DTntbjjUlzpw5yTMnRMVHMOEDcBOv5ABaOU8D7jm45GnFtcH/hnPYecOWP639x7M20QGT4Z/9pN7WVlSyxW2lha2t2oi2Gn+5VEcN5YKsHKW7TyH1mg+miumwwR8Nvq93M7dnncA1+T/w1waJUriYGjYszqMMkhx/HVLo5ySdB2nsn0qkCP1/9RMn+3vVbyCiqeZOodo8iNRrdrwKJss9SH9AwHwodFfaoF0wgYbbGtB6frX1mRB1Z6UMlef4NomuPnXfMJxrrdFcbyyOIQQhzZg1EhoHF8BS5/laqw/DFg2xQ41cAVk8VludwBNeICI0ow+tR4wUyWeoA3cPQ==
(note no authentication tokens passed).
Or maybe I misunderstood your question?
Or maybe I misunderstood your question?
I mean it should be still inaccessible if gitea instance is set to always require authentication (REQUIRE_SIGNIN_VIEW=true
)
I mean it should be still inaccessible if gitea instance is set to always require authentication (
REQUIRE_SIGNIN_VIEW=true
)
Yeah, just to be crystal clear: I don't want to relax that. Just provide the same info under the same rules as .keys
but in JSON+CORS. Nothing more.
PR title should be fixed that as it is quite misleading "unauthenticated access"
PR title should be fixed that as it is quite misleading "unauthenticated access"
Okay, what do you suggest? .keys
is available to users who are not logged in (example above), that's why I used unauthenticated
. Is there a better terminology for such an access in Gitea?
It would be very helpful to be able to allow public access to users' public keys. I've been using Gitlab and Gitea for some time now and i was able to do so in Gitlab (https://gitlab.domain.lan/user.keys).
Maybe put a toggle that each user can freely allow or not.
@florent4014 I have some good news for you. That is already possible. This is in regards to changes in access to the API endpoint.
Feature Description
Hi,
I'm building an identity service (similar to https://keyoxide.org but based on SSH keys) and I'm looking for a way to get the keys without tokens with a CORS headers.
Just for the record both GitHub and Gitlab allow unauthenticated, CORS-ok access:
Gitlab:
GitHub:
Compare that with Gitea, that returns 401 (unauthenticated):
Note that the keys are already public via the other endpoint, which sadly is not CORS-enabled:
I think given what others do and the already-public aspect of the keys it would be OK to allow unauthenticated access to
https://gitea.com/api/v1/users/{username}/keys
and if that sounds OK for you I'm volunteering to implement it.Screenshots
No response