Spaces:

akhaliq
/

anycoder

Running

App Files Files Community

akhaliq HF Staff commited on 18 days ago

Commit

4d53e2b

1 Parent(s): 63db11a

fix oauth issue

Browse files

Files changed (5) hide show

README.md +1 -0
backend_api.py +134 -3
frontend/src/app/page.tsx +19 -0
frontend/src/lib/api.ts +22 -0
frontend/src/lib/auth.ts +40 -0

README.md CHANGED Viewed

@@ -8,6 +8,7 @@ app_port: 7860
 pinned: false
 disable_embedding: false
 hf_oauth: true
 hf_oauth_scopes:
   - manage-repos
 ---

 pinned: false
 disable_embedding: false
 hf_oauth: true
+hf_oauth_expiration_minutes: 43200
 hf_oauth_scopes:
   - manage-repos
 ---

backend_api.py CHANGED Viewed

@@ -8,7 +8,7 @@ from pydantic import BaseModel
 from typing import Optional, List, Dict, AsyncGenerator
 import json
 import asyncio
-from datetime import datetime
 import secrets
 import base64
 import urllib.parse
@@ -140,6 +140,46 @@ oauth_states = {}
 user_sessions = {}
 # Pydantic models for request/response
 class CodeGenerationRequest(BaseModel):
     query: str
@@ -325,12 +365,18 @@ async def oauth_callback(code: str, state: str, request: Request):
             userinfo_response.raise_for_status()
             user_info = userinfo_response.json()
             # Create session
             session_token = secrets.token_urlsafe(32)
             user_sessions[session_token] = {
                 "access_token": access_token,
                 "user_info": user_info,
                 "timestamp": datetime.now(),
                 "username": user_info.get("name") or user_info.get("preferred_username") or "user",
                 "deployed_spaces": []  # Track deployed spaces for follow-up updates
             }
@@ -344,6 +390,21 @@ async def oauth_callback(code: str, state: str, request: Request):
             raise HTTPException(status_code=500, detail=f"OAuth failed: {str(e)}")
 @app.get("/api/auth/session")
 async def get_session(session: str):
     """Get user info from session token"""
@@ -351,6 +412,19 @@ async def get_session(session: str):
         raise HTTPException(status_code=401, detail="Invalid session")
     session_data = user_sessions[session]
     return {
         "access_token": session_data["access_token"],
         "user_info": session_data["user_info"],
@@ -359,14 +433,71 @@ async def get_session(session: str):
 @app.get("/api/auth/status")
 async def auth_status(authorization: Optional[str] = Header(None)):
-    """Check authentication status"""
     auth = get_auth_from_header(authorization)
-    if auth.is_authenticated():
         return AuthStatus(
             authenticated=True,
             username=auth.username,
             message=f"Authenticated as {auth.username}"
         )
     return AuthStatus(
         authenticated=False,
         username=None,

 from typing import Optional, List, Dict, AsyncGenerator
 import json
 import asyncio
+from datetime import datetime, timedelta
 import secrets
 import base64
 import urllib.parse
 user_sessions = {}
+def is_session_expired(session_data: dict) -> bool:
+    """Check if session has expired"""
+    expires_at = session_data.get("expires_at")
+    if not expires_at:
+        # If no expiration info, check if session is older than 8 hours
+        timestamp = session_data.get("timestamp", datetime.now())
+        return (datetime.now() - timestamp) > timedelta(hours=8)
+    return datetime.now() >= expires_at
+# Background task for cleaning up expired sessions
+async def cleanup_expired_sessions():
+    """Periodically clean up expired sessions"""
+    while True:
+        try:
+            await asyncio.sleep(3600)  # Run every hour
+            expired_sessions = []
+            for session_token, session_data in user_sessions.items():
+                if is_session_expired(session_data):
+                    expired_sessions.append(session_token)
+            for session_token in expired_sessions:
+                user_sessions.pop(session_token, None)
+                print(f"[Auth] Cleaned up expired session: {session_token[:10]}...")
+            if expired_sessions:
+                print(f"[Auth] Cleaned up {len(expired_sessions)} expired session(s)")
+        except Exception as e:
+            print(f"[Auth] Cleanup error: {e}")
+# Start cleanup task on app startup
+@app.on_event("startup")
+async def startup_event():
+    """Run startup tasks"""
+    asyncio.create_task(cleanup_expired_sessions())
+    print("[Startup] ✅ Session cleanup task started")
 # Pydantic models for request/response
 class CodeGenerationRequest(BaseModel):
     query: str
             userinfo_response.raise_for_status()
             user_info = userinfo_response.json()
+            # Calculate token expiration
+            # OAuth tokens typically have expires_in in seconds
+            expires_in = token_data.get("expires_in", 28800)  # Default 8 hours
+            expires_at = datetime.now() + timedelta(seconds=expires_in)
             # Create session
             session_token = secrets.token_urlsafe(32)
             user_sessions[session_token] = {
                 "access_token": access_token,
                 "user_info": user_info,
                 "timestamp": datetime.now(),
+                "expires_at": expires_at,
                 "username": user_info.get("name") or user_info.get("preferred_username") or "user",
                 "deployed_spaces": []  # Track deployed spaces for follow-up updates
             }
             raise HTTPException(status_code=500, detail=f"OAuth failed: {str(e)}")
+async def validate_token_with_hf(access_token: str) -> bool:
+    """Validate token with HuggingFace API"""
+    try:
+        async with httpx.AsyncClient() as client:
+            response = await client.get(
+                f"{OPENID_PROVIDER_URL}/oauth/userinfo",
+                headers={"Authorization": f"Bearer {access_token}"},
+                timeout=5.0
+            )
+            return response.status_code == 200
+    except Exception as e:
+        print(f"[Auth] Token validation error: {e}")
+        return False
 @app.get("/api/auth/session")
 async def get_session(session: str):
     """Get user info from session token"""
         raise HTTPException(status_code=401, detail="Invalid session")
     session_data = user_sessions[session]
+    # Check if session has expired
+    if is_session_expired(session_data):
+        # Clean up expired session
+        user_sessions.pop(session, None)
+        raise HTTPException(status_code=401, detail="Session expired. Please sign in again.")
+    # Validate token with HuggingFace
+    if not await validate_token_with_hf(session_data["access_token"]):
+        # Token is invalid, clean up session
+        user_sessions.pop(session, None)
+        raise HTTPException(status_code=401, detail="Authentication expired. Please sign in again.")
     return {
         "access_token": session_data["access_token"],
         "user_info": session_data["user_info"],
 @app.get("/api/auth/status")
 async def auth_status(authorization: Optional[str] = Header(None)):
+    """Check authentication status and validate token"""
     auth = get_auth_from_header(authorization)
+    if not auth.is_authenticated():
+        return AuthStatus(
+            authenticated=False,
+            username=None,
+            message="Not authenticated"
+        )
+    # For dev tokens, skip validation
+    if auth.token and auth.token.startswith("dev_token_"):
+        return AuthStatus(
+            authenticated=True,
+            username=auth.username,
+            message=f"Authenticated as {auth.username} (dev mode)"
+        )
+    # For session tokens, check expiration and validate
+    token = authorization.replace("Bearer ", "") if authorization else None
+    if token and "-" in token and len(token) > 20 and token in user_sessions:
+        session_data = user_sessions[token]
+        # Check if session has expired
+        if is_session_expired(session_data):
+            # Clean up expired session
+            user_sessions.pop(token, None)
+            return AuthStatus(
+                authenticated=False,
+                username=None,
+                message="Session expired"
+            )
+        # Validate token with HuggingFace
+        if not await validate_token_with_hf(session_data["access_token"]):
+            # Token is invalid, clean up session
+            user_sessions.pop(token, None)
+            return AuthStatus(
+                authenticated=False,
+                username=None,
+                message="Authentication expired"
+            )
         return AuthStatus(
             authenticated=True,
             username=auth.username,
             message=f"Authenticated as {auth.username}"
         )
+    # For direct OAuth tokens, validate with HF
+    if auth.token:
+        is_valid = await validate_token_with_hf(auth.token)
+        if is_valid:
+            return AuthStatus(
+                authenticated=True,
+                username=auth.username,
+                message=f"Authenticated as {auth.username}"
+            )
+        else:
+            return AuthStatus(
+                authenticated=False,
+                username=None,
+                message="Token expired or invalid"
+            )
     return AuthStatus(
         authenticated=False,
         username=None,

frontend/src/app/page.tsx CHANGED Viewed

@@ -95,6 +95,25 @@ export default function Home() {
     return () => window.removeEventListener('storage', handleStorageChange);
   }, []);
   // Listen for window focus (user returns to tab after OAuth redirect)
   // Only check if backend was available before or if we're authenticated with token
   useEffect(() => {

     return () => window.removeEventListener('storage', handleStorageChange);
   }, []);
+  // Listen for authentication expiration events
+  useEffect(() => {
+    const handleAuthExpired = (e: CustomEvent) => {
+      console.log('[Auth] Session expired:', e.detail?.message);
+      // Clear authentication state
+      setIsAuthenticated(false);
+      setUsername(null);
+      apiClient.setToken(null);
+      // Show alert to user
+      if (typeof window !== 'undefined') {
+        alert(e.detail?.message || 'Your session has expired. Please sign in again.');
+      }
+    };
+    window.addEventListener('auth-expired', handleAuthExpired as EventListener);
+    return () => window.removeEventListener('auth-expired', handleAuthExpired as EventListener);
+  }, []);
   // Listen for window focus (user returns to tab after OAuth redirect)
   // Only check if backend was available before or if we're authenticated with token
   useEffect(() => {

frontend/src/lib/api.ts CHANGED Viewed

@@ -60,6 +60,28 @@ class ApiClient {
       return config;
     });
     // Load token from localStorage on client side
     if (typeof window !== 'undefined') {
       this.token = localStorage.getItem('hf_oauth_token');

       return config;
     });
+    // Add response interceptor to handle authentication errors
+    this.client.interceptors.response.use(
+      (response) => response,
+      (error) => {
+        // Handle 401 errors (expired/invalid authentication)
+        if (error.response && error.response.status === 401) {
+          // Clear authentication data
+          if (typeof window !== 'undefined') {
+            localStorage.removeItem('hf_oauth_token');
+            localStorage.removeItem('hf_user_info');
+            this.token = null;
+            // Dispatch custom event to notify UI components
+            window.dispatchEvent(new CustomEvent('auth-expired', {
+              detail: { message: 'Your session has expired. Please sign in again.' }
+            }));
+          }
+        }
+        return Promise.reject(error);
+      }
+    );
     // Load token from localStorage on client side
     if (typeof window !== 'undefined') {
       this.token = localStorage.getItem('hf_oauth_token');

frontend/src/lib/auth.ts CHANGED Viewed

@@ -178,6 +178,46 @@ export function isAuthenticated(): boolean {
   return getStoredToken() !== null;
 }
 /**
  * Development mode login (mock authentication)
  */

   return getStoredToken() !== null;
 }
+/**
+ * Validate authentication with backend
+ * Returns true if authenticated, false if session expired
+ */
+export async function validateAuthentication(): Promise<boolean> {
+  const token = getStoredToken();
+  if (!token) {
+    return false;
+  }
+  // Skip validation for dev mode tokens
+  if (isDevelopment && token.startsWith('dev_token_')) {
+    return true;
+  }
+  try {
+    const response = await fetch(`${API_BASE}/auth/status`, {
+      headers: {
+        'Authorization': `Bearer ${token}`,
+      },
+    });
+    if (response.status === 401) {
+      // Session expired, clean up
+      logout();
+      return false;
+    }
+    if (!response.ok) {
+      return false;
+    }
+    const data = await response.json();
+    return data.authenticated === true;
+  } catch (error) {
+    console.error('Failed to validate authentication:', error);
+    return false;
+  }
+}
 /**
  * Development mode login (mock authentication)
  */