| import { NextResponse } from "next/server"; | |
| import { hfBuildAuthUrl, hfOriginFromRequest } from "@/lib/auth/hf"; | |
| export async function GET(req: Request) { | |
| const url = new URL(req.url); | |
| const client = url.searchParams.get("client") === "mobile" ? "mobile" : "web"; | |
| const origin = hfOriginFromRequest(req); | |
| const redirectUri = | |
| client === "mobile" | |
| ? `${origin}/api/auth/callback/huggingface?client=mobile` | |
| : `${origin}/api/auth/callback/huggingface`; | |
| const { url: authUrl, state, verifier } = hfBuildAuthUrl(redirectUri); | |
| const res = NextResponse.redirect(authUrl.toString()); | |
| // SameSite=None so the cookies come back when HF redirects to the callback | |
| // from a third-party context (e.g. our app is iframed inside huggingface.co/spaces/...). | |
| // Requires Secure, which HF Spaces always serves under. | |
| const isProd = process.env.NODE_ENV === "production"; | |
| const cookieOpts = { | |
| httpOnly: true, | |
| secure: isProd, | |
| sameSite: isProd ? ("none" as const) : ("lax" as const), | |
| path: "/", | |
| maxAge: 60 * 10, | |
| }; | |
| res.cookies.set("hf_oauth_state", state, cookieOpts); | |
| res.cookies.set("hf_oauth_verifier", verifier, cookieOpts); | |
| res.cookies.set("hf_oauth_client", client, cookieOpts); | |
| return res; | |
| } | |