Make `/users/{username}/keys` endpoint more open

[wiktor-k]

Feature Description

Hi,

I've noticed that compared to Gitea's /users/{username}/keys endpoint GitHub's SSH keys endpoint is both 1) available to unauthenticated users 2) has access-control-allow-origin: * header (so it can be queried by web browser).

Github:

$ curl -i https://api.github.com/users/castedo/ssh_signing_keys
HTTP/2 200 
server: GitHub.com
date: Mon, 16 Oct 2023 09:59:53 GMT
...
access-control-allow-origin: *
strict-transport-security: max-age=31536000; includeSubdomains; preload

[
  {
    "id": 164688,
    "key": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIQdQut465od3lkVyVW6038PcD/wSGX/2ij3RcQZTAqt",
    "title": "ellersign2023",
    "created_at": "2023-09-20T12:05:12.685Z"
  }
]

Trying the same on Gitea:

curl -X 'GET' \
  'https://try.gitea.io/api/v1/users/wiktor/keys' \
  -H 'accept: application/json'

Yields:

{
  "message": "token is required",
  "url": "https://try.gitea.io/api/swagger"
}

I wonder if it's possible to relax this. The keys are already publicly available in SSH format via https://try.gitea.io/wiktor.keys (but sadly that one doesn't have CORS).

My use-case is building a Keyoxide website that verifies identities but using SSH keys instead of OpenPGP. (If the keys are CORS-OK then the validation can be done purely in user's browser).

Thanks for your time! 👋

(If this sounds like a good addition I'm happy to submit a PR)

Screenshots

No response