fix: expose API fields for ssh keys (#12517) (#12625)

The original issue only mentions 'Verified', but 'Updated' was also missing and so is also included. The integration test only covers the initial `false` state. Attempting to cover the flip to true seemed to introduce more problems than benefits (as outlined in `tests/integration/api_keys_test.go`) Manual testing was performed to check that verifying the key in the web ui caused the return value to change from false to true in the API response (using `curl`). ## Checklist The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org). ### Tests for Go changes (can be removed for JavaScript changes) - I added test coverage for Go changes... - [ ] in their respective `*_test.go` for unit tests. - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server. - I ran... - [x] `make pr-go` before pushing ### Tests for JavaScript changes (can be removed for Go changes) - I added test coverage for JavaScript changes... - [ ] in `web_src/js/*.test.js` if it can be unit tested. - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)). ### Documentation - [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change. - [x] I did not document these changes and I do not expect someone else to do it. ### Release notes - [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change. - [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12625 Reviewed-by: Cyborus <cyborus@disroot.org> Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
2026-06-08 21:22:19 -04:00 · 2026-05-18 17:44:37 +02:00 · 2026-05-18 17:44:37 +02:00 · 08949c518a
commit 08949c518a
parent 8d50e7b25e
4 changed files with 32 additions and 1 deletions
--- a/modules/structs/user_key.go
+++ b/modules/structs/user_key.go
@ -19,4 +19,7 @@ type PublicKey struct {
 	Owner    *User     `json:"user,omitempty"`
 	ReadOnly bool      `json:"read_only,omitempty"`
 	KeyType  string    `json:"key_type,omitempty"`
+	// swagger:strfmt date-time
+	Updated  time.Time `json:"updated_at,omitzero"`
+	Verified bool      `json:"verified"`
 }
--- a/services/convert/convert.go
+++ b/services/convert/convert.go
@ -259,6 +259,8 @@ func ToPublicKey(apiLink string, key *asymkey_model.PublicKey) *api.PublicKey {
 		Title:       key.Name,
 		Fingerprint: key.Fingerprint,
 		Created:     key.CreatedUnix.AsTime(),
+		Updated:     key.UpdatedUnix.AsTime(),
+		Verified:    key.Verified,
 	}
 }

--- a/templates/swagger/v1_json.tmpl
+++ b/templates/swagger/v1_json.tmpl
@ -28498,12 +28498,21 @@
          "type": "string",
          "x-go-name": "Title"
        },
+        "updated_at": {
+          "type": "string",
+          "format": "date-time",
+          "x-go-name": "Updated"
+        },
        "url": {
          "type": "string",
          "x-go-name": "URL"
        },
        "user": {
          "$ref": "#/definitions/User"
+        },
+        "verified": {
+          "type": "boolean",
+          "x-go-name": "Verified"
        }
      },
      "x-go-package": "forgejo.org/modules/structs"
--- a/tests/integration/api_keys_test.go
+++ b/tests/integration/api_keys_test.go
@ -144,11 +144,11 @@ func TestCreateUserKey(t *testing.T) {
 	})

 	// Search by fingerprint
+	var fingerprintPublicKeys []api.PublicKey
 	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/user/keys?fingerprint=%s", newPublicKey.Fingerprint)).
 		AddTokenAuth(token)
 	resp = MakeRequest(t, req, http.StatusOK)

-	var fingerprintPublicKeys []api.PublicKey
 	DecodeJSON(t, resp, &fingerprintPublicKeys)
 	assert.Equal(t, newPublicKey.Fingerprint, fingerprintPublicKeys[0].Fingerprint)
 	assert.Equal(t, newPublicKey.ID, fingerprintPublicKeys[0].ID)
@ -210,4 +210,21 @@ func TestCreateUserKey(t *testing.T) {

 	DecodeJSON(t, resp, &fingerprintPublicKeys)
 	assert.Empty(t, fingerprintPublicKeys)
+
+	// -------------
+
+	// Key is initially unverified
+	var respPublicKeys []api.PublicKey
+	req = NewRequestWithJSON(t, "GET", "/api/v1/user/keys", rawKeyBody).
+		AddTokenAuth(token)
+	resp = MakeRequest(t, req, http.StatusOK)
+	DecodeJSON(t, resp, &respPublicKeys)
+	assert.False(t, respPublicKeys[0].Verified)
+	assert.Equal(t, respPublicKeys[0].Created, newPublicKey.Updated)
+
+	// Ideally we would flip the verified bit here, but this currently would require:
+	// a) (i) having the private key to hand to generate a signature AND (ii) hitting the web UI (no API to verify)
+	// OR
+	// b) or adding code to flip the bool in the db. This requires bypassing the current
+	// cryptographic validation guarding that update), which weakens the codebase doesn't add much value.
 }