import { NextResponse } from "next/server"; import { hfBuildAuthUrl, hfOriginFromRequest } from "@/lib/auth/hf"; export async function GET(req: Request) { const url = new URL(req.url); const client = url.searchParams.get("client") === "mobile" ? "mobile" : "web"; const origin = hfOriginFromRequest(req); const redirectUri = client === "mobile" ? `${origin}/api/auth/callback/huggingface?client=mobile` : `${origin}/api/auth/callback/huggingface`; const { url: authUrl, state, verifier } = hfBuildAuthUrl(redirectUri); const res = NextResponse.redirect(authUrl.toString()); // SameSite=None so the cookies come back when HF redirects to the callback // from a third-party context (e.g. our app is iframed inside huggingface.co/spaces/...). // Requires Secure, which HF Spaces always serves under. const isProd = process.env.NODE_ENV === "production"; const cookieOpts = { httpOnly: true, secure: isProd, sameSite: isProd ? ("none" as const) : ("lax" as const), path: "/", maxAge: 60 * 10, }; res.cookies.set("hf_oauth_state", state, cookieOpts); res.cookies.set("hf_oauth_verifier", verifier, cookieOpts); res.cookies.set("hf_oauth_client", client, cookieOpts); return res; }