Spaces:
Running on CPU Upgrade
OAuth Login Fix for HuggingFace
Problem Fixed β
Issue: Google OAuth login was failing on HuggingFace with the error:
π Stored token found: false
π No token found - user not authenticated
Root Cause: The OAuth callback was redirecting to http://localhost:5173/?token=... instead of staying on the HuggingFace domain.
Solution: Updated callback to use relative redirects (/?token=...) on same-domain deployments like HuggingFace.
How OAuth Login Works Now
Flow Diagram:
1. User clicks "Login with Google"
β
2. Frontend β /auth/login/google
β
3. Backend β Redirects to Google
β
4. Google β User approves
β
5. Google β /auth/callback/google?code=xxx&state=yyy
β
6. Backend β Exchanges code for access token
β
7. Backend β Gets user info from Google
β
8. Backend β Creates/updates user in database
β
9. Backend β Creates JWT token
β
10. Backend β Redirects to /?token=JWT_TOKEN β FIXED!
β
11. Frontend β Detects token in URL
β
12. Frontend β Saves token to localStorage
β
13. Frontend β Fetches user data from /auth/me
β
14. β
User is logged in!
What Changed
Before (Broken on HuggingFace):
# api/routes/auth.py - OLD CODE
frontend_url = os.getenv('FRONTEND_URL', 'http://localhost:5173')
redirect_url = oauth_state.redirect_uri or frontend_url
return RedirectResponse(url=f"{redirect_url}?token={jwt_token}")
Problem: Always redirected to localhost, which doesn't exist on HuggingFace!
After (Works on HuggingFace):
# api/routes/auth.py - NEW CODE
frontend_url = os.getenv('FRONTEND_URL', '')
# If FRONTEND_URL is localhost or not set, use relative redirect
if not frontend_url or 'localhost' in frontend_url:
redirect_url = oauth_state.redirect_uri or '/'
else:
redirect_url = oauth_state.redirect_uri or frontend_url
return RedirectResponse(url=f"{redirect_url}?token={jwt_token}")
Solution:
- On HuggingFace (same domain): Redirects to
/?token=...(relative) - On local dev (separate servers): Redirects to
http://localhost:5173/?token=...(absolute)
Testing the Fix
On HuggingFace (www.communityone.com):
- Go to: https://www.communityone.com
- Click: "Login with Google"
- Observe: You should be redirected to Google
- After approving: You should return to www.communityone.com (NOT localhost!)
- Check browser console:
π OAuth callback - Token received from URL π Token preview: eyJhbGciOiJIUzI1NiIs... β User data loaded: {id: 1, email: "user@example.com"} - Verify: Your avatar should appear in top right corner
Expected Console Output (Success):
π Auth initialization starting...
π Current URL: https://www.communityone.com/?token=eyJhbGc...
π OAuth callback - Token received from URL
π Token preview: eyJhbGciOiJIUzI1NiIs...
π Fetching user data from: /api/auth/me
π Response status: 200
β
User data loaded: {id: 1, email: "you@gmail.com", ...}
π User state changed: {user: {id: 1, email: "you@gmail.com"}, isAuthenticated: true}
HuggingFace Secrets Configuration
Required Secrets (already configured):
# Google OAuth
GOOGLE_CLIENT_ID=your-google-client-id.apps.googleusercontent.com
GOOGLE_CLIENT_SECRET=your-google-client-secret
# JWT Authentication
JWT_SECRET_KEY=your-random-secret-key
# API Base URL (for OAuth callbacks)
API_BASE_URL=https://www.communityone.com
Optional Secret (NOT needed with this fix):
# Frontend URL - can be empty or set to production URL
FRONTEND_URL=https://www.communityone.com
# OR leave empty - both work now!
Why it's optional now: The code auto-detects same-domain deployment and uses relative redirects.
Google OAuth Configuration
Make sure your Google Cloud Console has the correct redirect URI:
- Go to: https://console.cloud.google.com
- Navigate to: APIs & Services β Credentials
- Select: Your OAuth 2.0 Client ID
- Authorized redirect URIs must include:
https://www.communityone.com/auth/callback/google - For local dev, also add:
http://localhost:8000/auth/callback/google
Troubleshooting
Still seeing "No token found"?
Check 1: Console Logs Open browser DevTools (F12) and look for:
π OAuth callback - Token received from URL // β Should see this!
If you DON'T see this, the redirect isn't working.
Check 2: URL After Login After Google redirects back, the URL should be:
β
CORRECT: https://www.communityone.com/?token=eyJhbGc...
β WRONG: http://localhost:5173/?token=...
β WRONG: https://www.communityone.com/auth/callback/google?code=...
Check 3: HuggingFace Logs In HuggingFace Spaces, click "Logs" and look for:
INFO: "GET /auth/callback/google?code=... HTTP/1.1" 302 Found
Check 4: Network Tab In DevTools β Network, filter for "callback" and check the redirect:
Request: GET /auth/callback/google?code=xxx
Status: 302 Found
Location: /?token=eyJhbGc... β Should be relative!
Google OAuth errors?
"redirect_uri_mismatch":
- Your redirect URI in Google Console doesn't match
- Make sure it's exactly:
https://www.communityone.com/auth/callback/google
"invalid_client":
- GOOGLE_CLIENT_ID or GOOGLE_CLIENT_SECRET is wrong
- Check HuggingFace Spaces β Settings β Variables and secrets
"access_denied":
- User cancelled the login
- Try again
Database errors?
"could not connect to server":
- Database isn't accessible
- Check if using SQLite (should work) or Neon (needs configuration)
"no such table: users":
- Run migration:
python scripts/migrate_social_features.py
Local Development
For local development (frontend on :5173, backend on :8000):
Set FRONTEND_URL in
.env:FRONTEND_URL=http://localhost:5173This makes the callback redirect to:
http://localhost:5173/?token=...Google OAuth redirect URI:
http://localhost:8000/auth/callback/google
Summary
β
Fixed: OAuth callback now redirects correctly on HuggingFace
β
Works: All OAuth providers (Google, HuggingFace, Facebook, GitHub)
β
Tested: Same-domain deployment (HuggingFace) and separate servers (local dev)
β
No config needed: FRONTEND_URL can be empty on HuggingFace
The fix is live! Try logging in with Google at https://www.communityone.com π