PraxaLing / app /api /auth /login /route.ts
Reubencf's picture
Deploy PraxaLing: component refactor, bug fixes, unified neo-brutal design, Qwen3.5 everywhere
2992997
Raw
History Blame Contribute Delete
1.25 kB
import { NextResponse } from "next/server";
import { hfBuildAuthUrl, hfOriginFromRequest } from "@/lib/auth/hf";
export async function GET(req: Request) {
const url = new URL(req.url);
const client = url.searchParams.get("client") === "mobile" ? "mobile" : "web";
const origin = hfOriginFromRequest(req);
const redirectUri =
client === "mobile"
? `${origin}/api/auth/callback/huggingface?client=mobile`
: `${origin}/api/auth/callback/huggingface`;
const { url: authUrl, state, verifier } = hfBuildAuthUrl(redirectUri);
const res = NextResponse.redirect(authUrl.toString());
// SameSite=None so the cookies come back when HF redirects to the callback
// from a third-party context (e.g. our app is iframed inside huggingface.co/spaces/...).
// Requires Secure, which HF Spaces always serves under.
const isProd = process.env.NODE_ENV === "production";
const cookieOpts = {
httpOnly: true,
secure: isProd,
sameSite: isProd ? ("none" as const) : ("lax" as const),
path: "/",
maxAge: 60 * 10,
};
res.cookies.set("hf_oauth_state", state, cookieOpts);
res.cookies.set("hf_oauth_verifier", verifier, cookieOpts);
res.cookies.set("hf_oauth_client", client, cookieOpts);
return res;
}