[feature] Add config option to expose custom emojis without auth (#4233)

# Description

> If this is a code change, please include a summary of what you've coded, and link to the issue(s) it closes/implements.
>
> If this is a documentation change, please briefly describe what you've changed and why.

Does as it says on the tin! Should make things a bit easier for clients that don't provide an access token to the custom emojis endpoint.

Closes https://codeberg.org/superseriousbusiness/gotosocial/issues/2430

## Checklist

Please put an x inside each checkbox to indicate that you've read and followed it: `[ ]` -> `[x]`

If this is a documentation change, only the first checkbox must be filled (you can delete the others if you want).

- [x] I/we have read the [GoToSocial contribution guidelines](https://codeberg.org/superseriousbusiness/gotosocial/src/branch/main/CONTRIBUTING.md).
- [x] I/we have discussed the proposed changes already, either in an issue on the repository, or in the Matrix chat.
- [x] I/we have not leveraged AI to create the proposed changes.
- [x] I/we have performed a self-review of added code.
- [x] I/we have written code that is legible and maintainable by others.
- [x] I/we have commented the added code, particularly in hard-to-understand areas.
- [x] I/we have made any necessary changes to documentation.
- [ ] I/we have added tests that cover new code.
- [x] I/we have run tests and they pass locally with the changes.
- [x] I/we have run `go fmt ./...` and `golangci-lint run`.

Reviewed-on: https://codeberg.org/superseriousbusiness/gotosocial/pulls/4233
Reviewed-by: Daenney <daenney@noreply.codeberg.org>
Co-authored-by: tobi <tobi.smethurst@protonmail.com>
Co-committed-by: tobi <tobi.smethurst@protonmail.com>

docs/api/swagger.yaml

@@ -3752,6 +3752,7 @@ info:
         read:applications: grants read access to user-managed applications
         read:blocks: grants read access to blocks
         read:bookmarks: grants read access to bookmarks
+        read:custom_emojis: grants read access to custom emojis
         read:favourites: grants read access to accounts
         read:filters: grants read access to filters
         read:follows: grants read access to follows
@@ -8126,6 +8127,7 @@ paths:
                 - conversations
     /api/v1/custom_emojis:
         get:
+            description: If the instance config setting `instance-expose-custom-emojis` is `true` then authentication is not required.
             operationId: customEmojisGet
             produces:
                 - application/json
@@ -8143,7 +8145,8 @@ paths:
                 "500":
                     description: internal server error
             security:
-                - OAuth2 Bearer: []
+                - OAuth2 Bearer:
+                    - read:custom_emojis
             summary: Get an array of custom emojis available on the instance.
             tags:
                 - custom_emojis
@@ -13588,6 +13591,7 @@ securityDefinitions:
             read:applications: grants read access to user-managed applications
             read:blocks: grants read access to blocks
             read:bookmarks: grants read access to bookmarks
+            read:custom_emojis: grants read access to custom emojis
             read:favourites: grants read access to accounts
             read:filters: grants read access to filters
             read:follows: grants read access to follows

docs/configuration/instance.md

@@ -139,6 +139,21 @@ instance-expose-blocklist-web: false
 # Default: false
 instance-expose-public-timeline: false
 
+# Bool. Allow unauthenticated access to /api/v1/custom_emojis, which
+# exposes the list of custom emojis available to users on this server.
+#
+# Setting this to 'true' may alleviate issues with clients that do not
+# provide an access token in their requests to the emojis endpoint, but
+# it also means that anyone can look at what emojis are installed on your
+# instance, which may present privacy / safety issues.
+#
+# Even if set to 'false', authenticated users (ie., instance members)
+# will still be able to query the endpoint using an access token.
+#
+# Options: [true, false]
+# Default: false
+instance-expose-custom-emojis: false
+
 # Bool. This flag tweaks whether GoToSocial will deliver ActivityPub messages
 # to the shared inbox of a recipient, if one is available, instead of delivering
 # each message to each actor who should receive a message individually.

docs/swagger.go

@@ -41,6 +41,7 @@
 //   - read:applications: grants read access to user-managed applications
 //   - read:blocks: grants read access to blocks
 //   - read:bookmarks: grants read access to bookmarks
+//   - read:custom_emojis: grants read access to custom emojis
 //   - read:favourites: grants read access to accounts
 //   - read:filters: grants read access to filters
 //   - read:follows: grants read access to follows
@@ -99,6 +100,7 @@
 //	      read:applications: grants read access to user-managed applications
 //	      read:blocks: grants read access to blocks
 //	      read:bookmarks: grants read access to bookmarks
+//	      read:custom_emojis: grants read access to custom emojis
 //	      read:favourites: grants read access to accounts
 //	      read:filters: grants read access to filters
 //	      read:follows: grants read access to follows