Make /users/{username}/keys endpoint more open #11862

New Issue

GiteaMirror · 2025-11-02T09:50:02-06:00

GiteaMirror commented

2025-11-02 09:50:02 -06:00

Originally created by @wiktor-k on GitHub (Oct 16, 2023).

Feature Description

Hi,

I've noticed that compared to Gitea's /users/{username}/keys endpoint GitHub's SSH keys endpoint is both 1) available to unauthenticated users 2) has access-control-allow-origin: * header (so it can be queried by web browser).

Github:

$ curl -i https://api.github.com/users/castedo/ssh_signing_keys
HTTP/2 200 
server: GitHub.com
date: Mon, 16 Oct 2023 09:59:53 GMT
...
access-control-allow-origin: *
strict-transport-security: max-age=31536000; includeSubdomains; preload

[
  {
    "id": 164688,
    "key": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIQdQut465od3lkVyVW6038PcD/wSGX/2ij3RcQZTAqt",
    "title": "ellersign2023",
    "created_at": "2023-09-20T12:05:12.685Z"
  }
]

Trying the same on Gitea:

curl -X 'GET' \
  'https://try.gitea.io/api/v1/users/wiktor/keys' \
  -H 'accept: application/json'

Yields:

{
  "message": "token is required",
  "url": "https://try.gitea.io/api/swagger"
}

I wonder if it's possible to relax this. The keys are already publicly available in SSH format via https://try.gitea.io/wiktor.keys (but sadly that one doesn't have CORS).

My use-case is building a Keyoxide website that verifies identities but using SSH keys instead of OpenPGP. (If the keys are CORS-OK then the validation can be done purely in user's browser).

Thanks for your time! 👋

(If this sounds like a good addition I'm happy to submit a PR)

Screenshots

No response

Originally created by @wiktor-k on GitHub (Oct 16, 2023). ### Feature Description Hi, I've noticed that compared to Gitea's `/users/{username}/keys` endpoint GitHub's SSH keys endpoint is both 1) available to unauthenticated users 2) has `access-control-allow-origin: *` header (so it can be queried by web browser). Github: ```sh $ curl -i https://api.github.com/users/castedo/ssh_signing_keys HTTP/2 200 server: GitHub.com date: Mon, 16 Oct 2023 09:59:53 GMT ... access-control-allow-origin: * strict-transport-security: max-age=31536000; includeSubdomains; preload ``` ```json [ { "id": 164688, "key": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIQdQut465od3lkVyVW6038PcD/wSGX/2ij3RcQZTAqt", "title": "ellersign2023", "created_at": "2023-09-20T12:05:12.685Z" } ] ``` Trying the same on Gitea: ```sh curl -X 'GET' \ 'https://try.gitea.io/api/v1/users/wiktor/keys' \ -H 'accept: application/json' ``` Yields: ```json { "message": "token is required", "url": "https://try.gitea.io/api/swagger" } ``` I wonder if it's possible to relax this. The keys are already publicly available in SSH format via https://try.gitea.io/wiktor.keys (but sadly that one doesn't have CORS). My use-case is building a [Keyoxide](https://keyoxide.org/) website that verifies identities but using SSH keys instead of OpenPGP. (If the keys are CORS-OK then the validation can be done purely in user's browser). Thanks for your time! :wave: (If this sounds like a good addition I'm happy to submit a PR) ### Screenshots _No response_

GiteaMirror added the type/proposal label 2025-11-02 09:50:02 -06:00

GiteaMirror closed this issue

2025-11-02 09:50:02 -06:00

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#11862

Make /users/{username}/keys endpoint more open #11862

Feature Description

Screenshots

Make `/users/{username}/keys` endpoint more open #11862