Hugging Face's logo

Spaces:
Memverge
/
MemPrepMate
Sleeping

App Files Community
Christian Kniep commited on
Commit
32cff9c
·
1 Parent(s): 5b9bd19

'minor change to trigger build'

Browse files
Files changed (2) hide show
  1. HF_OAUTH_CONFIG.md +0 -113
  2. OAUTH_FIX_QUICKSTART.md +0 -117
HF_OAUTH_CONFIG.md DELETED
@@ -1,113 +0,0 @@
1
- # HuggingFace Spaces OAuth Configuration
2
-
3
- ## Required Configuration for OAuth to Work
4
-
5
- ### 1. Space Settings → Variables (Environment Variables)
6
-
7
- Add these environment variables in your HuggingFace Space settings:
8
-
9
- ```bash
10
- # Required for OAuth functionality
11
- SESSION_COOKIE_SECURE=true
12
- SESSION_COOKIE_SAMESITE=None
13
-
14
- # Optional but recommended
15
- PREFERRED_URL_SCHEME=https
16
- ```
17
-
18
- **Why these are needed:**
19
- - `SESSION_COOKIE_SECURE=true` - Ensures cookies are only sent over HTTPS
20
- - `SESSION_COOKIE_SAMESITE=None` - Allows cookies to work in cross-site context (HF iframe)
21
- - `PREFERRED_URL_SCHEME=https` - Ensures Flask generates HTTPS URLs
22
-
23
- ### 2. README.md Header (if using HF OAuth)
24
-
25
- If you want to use HuggingFace's built-in OAuth (recommended), add this to your README.md:
26
-
27
- ```yaml
28
- ---
29
- title: MemPrepMate
30
- emoji: 🧠
31
- colorFrom: blue
32
- colorTo: purple
33
- sdk: docker
34
- pinned: false
35
- hf_oauth: true
36
- hf_oauth_scopes:
37
- - openid
38
- - profile
39
- - email
40
- ---
41
- ```
42
-
43
- **What `hf_oauth: true` does:**
44
- - Automatically sets `OAUTH_CLIENT_ID` and `OAUTH_CLIENT_SECRET`
45
- - Configures OAuth redirect URI to `https://YOUR-SPACE.hf.space/oauth/callback`
46
- - No need to manually manage OAuth credentials
47
-
48
- ### 3. Alternative: Manual OAuth Configuration
49
-
50
- If NOT using `hf_oauth: true`, you need to manually set:
51
-
52
- ```bash
53
- # Space Settings → Variables
54
- OAUTH_CLIENT_ID=your-client-id
55
- OAUTH_CLIENT_SECRET=your-client-secret
56
-
57
- # Or for custom OAuth provider
58
- HF_CLIENT_ID=your-client-id
59
- HF_CLIENT_SECRET=your-client-secret
60
- HF_AUTHORIZATION_URL=https://your-oauth-provider.com/authorize
61
- HF_TOKEN_URL=https://your-oauth-provider.com/token
62
- HF_USERINFO_URL=https://your-oauth-provider.com/userinfo
63
- ```
64
-
65
- ## Current Configuration Check
66
-
67
- To verify your configuration is correct, check the Space logs for:
68
-
69
- ```
70
- [CONFIG] ENVIRONMENT VARIABLES CHECK:
71
- [CONFIG] SESSION_COOKIE_SECURE env var: true ← Should be 'true'
72
- [CONFIG] SESSION_COOKIE_SAMESITE env var: None ← Should be 'None'
73
- [CONFIG] PREFERRED_URL_SCHEME env var: https ← Should be 'https'
74
- ```
75
-
76
- If you see:
77
- ```
78
- ⚠️ WARNING: OAuth will FAIL - cookie won't persist!
79
- ```
80
-
81
- Then you need to add the environment variables above.
82
-
83
- ## Troubleshooting OAuth State Error
84
-
85
- The error you're seeing:
86
- ```
87
- MismatchingStateError: mismatching_state: CSRF Warning! State not equal in request and response.
88
- ```
89
-
90
- Is caused by **session state not being preserved** between `/oauth/login` and `/oauth/callback`.
91
-
92
- **Common causes:**
93
- 1. ❌ Missing `SESSION_COOKIE_SECURE=true` and `SESSION_COOKIE_SAMESITE=None`
94
- 2. ❌ Code manually saving session incorrectly (overwriting Authlib's state)
95
- 3. ❌ Browser blocking third-party cookies in iframe context
96
-
97
- **Fix checklist:**
98
- - ✅ Set environment variables above
99
- - ✅ Remove manual `save_session()` call from auth.py
100
- - ✅ Let Flask's automatic session handling work
101
- - ✅ Ensure Storage Access API is enabled in base.html (for Safari)
102
-
103
- ## Verification Steps
104
-
105
- 1. Set environment variables in Space settings
106
- 2. Deploy the fixed auth.py (see separate commit)
107
- 3. Wait for Space to rebuild (~2-3 minutes)
108
- 4. Test OAuth flow
109
- 5. Check logs for:
110
- - `[OAUTH] Session keys after authorize_redirect: [..., '_state_huggingface_<random>']`
111
- - Callback should show: `[OAUTH] Session keys: [..., '_state_huggingface_<random>']`
112
-
113
- If state key is present in both login and callback logs, OAuth should work.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
OAUTH_FIX_QUICKSTART.md DELETED
@@ -1,117 +0,0 @@
1
- # Quick Fix for OAuth MismatchingStateError
2
-
3
- ## The Problem
4
-
5
- Your auth.py file was manually calling `save_session()` AFTER `authorize_redirect()`, which **overwrites** the session cookie that Authlib created. This causes the OAuth state to be lost.
6
-
7
- ## The Fix Applied
8
-
9
- ✅ **Removed the manual `save_session()` call** from [auth.py](webapp/src/routes/auth.py) lines 46-54
10
-
11
- **Before (BROKEN):**
12
- ```python
13
- response = auth_service.hf.authorize_redirect(redirect_uri)
14
- # ❌ This overwrites Authlib's response and loses the state
15
- current_app.session_interface.save_session(current_app, session, response)
16
- return response
17
- ```
18
-
19
- **After (FIXED):**
20
- ```python
21
- response = auth_service.hf.authorize_redirect(redirect_uri)
22
- # ✅ Flask's after_request automatically saves session with state
23
- return response
24
- ```
25
-
26
- ## HuggingFace Space Environment Variables YOU NEED TO SET
27
-
28
- Go to your Space Settings → Variables and add:
29
-
30
- ```bash
31
- SESSION_COOKIE_SECURE=true
32
- SESSION_COOKIE_SAMESITE=None
33
- PREFERRED_URL_SCHEME=https
34
- ```
35
-
36
- ### Why These Are Critical
37
-
38
- Without these, your session cookies won't persist in the HuggingFace iframe:
39
- - **SESSION_COOKIE_SECURE=true** - Required for HTTPS (HF Spaces are always HTTPS)
40
- - **SESSION_COOKIE_SAMESITE=None** - Required for cross-site cookies (HF iframe embedding)
41
- - **PREFERRED_URL_SCHEME=https** - Ensures Flask generates correct URLs
42
-
43
- ## Deploy Steps
44
-
45
- 1. **Set environment variables** (see above)
46
- 2. **Copy fixed auth.py to HF repo:**
47
- ```bash
48
- cp webapp/src/routes/auth.py ~/src/huggingface.co/spaces/Memverge/MemPrepMate/src/routes/
49
- ```
50
- 3. **Commit and push:**
51
- ```bash
52
- cd ~/src/huggingface.co/spaces/Memverge/MemPrepMate
53
- git add src/routes/auth.py
54
- git commit -m "fix: Remove manual session save that breaks OAuth state"
55
- git push
56
- ```
57
- 4. **Wait for rebuild** (~2-3 minutes)
58
-
59
- ## Verification
60
-
61
- After deployment, check the logs at https://huggingface.co/spaces/Memverge/MemPrepMate/logs
62
-
63
- ### ✅ Success Indicators
64
-
65
- **Login phase:**
66
- ```
67
- [OAUTH] Session keys after authorize_redirect: [..., '_state_huggingface_ABC123']
68
- ```
69
-
70
- **Callback phase:**
71
- ```
72
- [OAUTH] State keys in session: ['_state_huggingface_ABC123']
73
- [OAUTH] State from URL: ABC123
74
- ```
75
-
76
- ### ❌ Failure Indicators
77
-
78
- **If you see:**
79
- ```
80
- [OAUTH] State keys in session: []
81
- [OAUTH] OAuth state in session: None
82
- ERROR: MismatchingStateError
83
- ```
84
-
85
- **Then check:**
86
- 1. Environment variables are set correctly
87
- 2. auth.py doesn't have manual `save_session()` call
88
- 3. Space rebuilt after changes
89
-
90
- ## README.md Configuration (Optional but Recommended)
91
-
92
- Add to the top of your README.md:
93
-
94
- ```yaml
95
- ---
96
- title: MemPrepMate
97
- emoji: 🧠
98
- sdk: docker
99
- hf_oauth: true
100
- hf_oauth_scopes:
101
- - openid
102
- - profile
103
- - email
104
- ---
105
- ```
106
-
107
- This enables HF's built-in OAuth and automatically sets OAUTH_CLIENT_ID/SECRET.
108
-
109
- ## Quick Test
110
-
111
- After deployment:
112
- 1. Go to your Space URL
113
- 2. Click "Login with HuggingFace"
114
- 3. Authorize the app
115
- 4. Should redirect to `/profile` (NOT back to login in a loop)
116
-
117
- If it works, you'll see your profile. If not, check the logs for the error indicators above.