Add CORS header - access-control-allow-origin: * to `/user/keys?username=...` endpoint
Proposal
Hi,
I've noticed that compared to GitLab's /user/keys?username=...
endpoint GitHub's SSH keys endpoint is both 1) available to unauthenticated users 2) has access-control-allow-origin: *
header (so it can be queried by web browser).
Github:
$ curl -i https://api.github.com/users/castedo/ssh_signing_keys
HTTP/2 200
server: GitHub.com
date: Mon, 16 Oct 2023 09:59:53 GMT
...
access-control-allow-origin: *
strict-transport-security: max-age=31536000; includeSubdomains; preload
[
{
"id": 164688,
"key": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIQdQut465od3lkVyVW6038PcD/wSGX/2ij3RcQZTAqt",
"title": "ellersign2023",
"created_at": "2023-09-20T12:05:12.685Z"
}
]
Gitlab:
$ curl -i 'https://gitlab.com/api/v4/user/keys?username=wiktor'
HTTP/2 401
date: Mon, 16 Oct 2023 10:34:16 GMT
vary: Origin
x-content-type-options: nosniff
...
{"message":"401 Unauthorized"}
I wonder if it's possible to relax this. The keys are already publicly available in SSH format via https://gitlab.com/wiktor.keys (but sadly that one doesn't have CORS).
My use-case is building a Keyoxide website that verifies identities but using SSH keys instead of OpenPGP. (If the keys are CORS-OK then the validation can be done purely in user's browser).
Thanks for your time!
(If this sounds like a good addition I'm happy to submit an MR)