api: Allow unauthenticated access to user's SSH keys

This patch relaxes constraints on getting user's SSH keys via the JSON
API. The same has been allowed by both GitHub and Gitlab and the output
is already readable via http://domain/user.keys endpoint.

The benefit of allowing it via the API are twofold: first this is
a structured output and second it can be CORS-enabled.

As a privacy precaution the `Title` property is set to an empty string
if the request is unauthenticated.

Fixes: https://github.com/go-gitea/gitea/issues/30681
This commit is contained in:
Wiktor Kwapisiewicz 2024-04-26 11:48:42 +02:00
parent e80466f734
commit 693db80296
No known key found for this signature in database
2 changed files with 18 additions and 3 deletions

View File

@ -945,7 +945,6 @@ func Routes() *web.Route {
// Users (requires user scope) // Users (requires user scope)
m.Group("/users", func() { m.Group("/users", func() {
m.Group("/{username}", func() { m.Group("/{username}", func() {
m.Get("/keys", user.ListPublicKeys)
m.Get("/gpg_keys", user.ListGPGKeys) m.Get("/gpg_keys", user.ListGPGKeys)
m.Get("/followers", user.ListFollowers) m.Get("/followers", user.ListFollowers)
@ -960,6 +959,13 @@ func Routes() *web.Route {
}, context.UserAssignmentAPI()) }, context.UserAssignmentAPI())
}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryUser), reqToken()) }, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryUser), reqToken())
// Users SSH keys (publicly readable)
m.Group("/users", func() {
m.Group("/{username}", func() {
m.Get("/keys", user.ListPublicKeys)
}, context.UserAssignmentAPI())
})
// Users (requires user scope) // Users (requires user scope)
m.Group("/user", func() { m.Group("/user", func() {
m.Get("", user.GetAuthenticatedUser) m.Get("", user.GetAuthenticatedUser)

View File

@ -7,6 +7,7 @@ import (
std_ctx "context" std_ctx "context"
"fmt" "fmt"
"net/http" "net/http"
"strings"
asymkey_model "code.gitea.io/gitea/models/asymkey" asymkey_model "code.gitea.io/gitea/models/asymkey"
"code.gitea.io/gitea/models/db" "code.gitea.io/gitea/models/db"
@ -89,8 +90,16 @@ func listPublicKeys(ctx *context.APIContext, user *user_model.User) {
apiKeys := make([]*api.PublicKey, len(keys)) apiKeys := make([]*api.PublicKey, len(keys))
for i := range keys { for i := range keys {
apiKeys[i] = convert.ToPublicKey(apiLink, keys[i]) apiKeys[i] = convert.ToPublicKey(apiLink, keys[i])
if ctx.Doer.IsAdmin || ctx.Doer.ID == keys[i].OwnerID { if ctx.Doer != nil {
apiKeys[i], _ = appendPrivateInformation(ctx, apiKeys[i], keys[i], user) if ctx.Doer.IsAdmin || ctx.Doer.ID == keys[i].OwnerID {
apiKeys[i], _ = appendPrivateInformation(ctx, apiKeys[i], keys[i], user)
}
} else {
// unauthenticated requests will not receive the title property
// to preserve privacy
apiKeys[i].Title = ""
// the key comment is truncated to preserve privacy
apiKeys[i].Key = strings.Join(strings.Split(apiKeys[i].Key, " ")[:2], " ")
} }
} }