Update app.py

app.py

@@ -1,14 +1,23 @@
+import os
+import tempfile
+
+# ==================================================
+# CRITICAL FIX: SET HF CACHE TO WRITABLE DIR
+# ==================================================
+# Hugging Face libraries try to write to /home/user/.cache by default, 
+# which is read-only in some Space configurations. We map it to /tmp.
+os.environ["HF_HOME"] = "/tmp/hf_home"
+os.environ["XDG_CACHE_HOME"] = "/tmp/xdg_cache"
+
 from fastapi import FastAPI, Request, Form, HTTPException, Query
 from fastapi.middleware.cors import CORSMiddleware
 from fastapi.responses import HTMLResponse, RedirectResponse, JSONResponse
 import httpx
 import json
 import logging
-import os
 import asyncio
 import secrets
 import shutil
-import tempfile
 import html as html_escape_lib
 from typing import Optional, List
 from datetime import datetime, timezone
@@ -44,7 +53,6 @@ TEMP_DIR = "/tmp/fundata_downloads"
 try:
     os.makedirs(TEMP_DIR, exist_ok=True)
 except OSError:
-    # Fallback to python's temp dir if /tmp/fundata_downloads fails
     TEMP_DIR = tempfile.mkdtemp()
 
 # ==================================================
@@ -93,8 +101,6 @@ ALBUM_CATEGORIES = dict(DEFAULT_ALBUM_CATEGORIES)
 # ==================================================
 # LOCKS & STATE
 # ==================================================
-# We use in-memory cache for the index to avoid spamming HF API,
-# but we write back to HF on changes.
 INDEX_CACHE = {"videos": []}
 CONFIG_CACHE = {}
 DATA_LOCK = asyncio.Lock()
@@ -114,13 +120,11 @@ api = HfApi(token=HF_TOKEN)
 
 def get_hf_url(path_in_repo: str) -> str:
     """Returns the direct download URL for a file in the dataset."""
-    # Using ?download=true helps force the browser to treat it as a file
     return f"https://huggingface.co/datasets/{HF_REPO_ID}/resolve/main/{path_in_repo}?download=true"
 
 async def sync_pull_json(filename: str, default: dict) -> dict:
     """Download JSON from HF. Returns default if not found."""
     try:
-        # Run blocking HF call in thread
         loop = asyncio.get_event_loop()
         local_path = await loop.run_in_executor(
             None,
@@ -129,6 +133,8 @@ async def sync_pull_json(filename: str, default: dict) -> dict:
                 filename=filename,
                 repo_type=HF_REPO_TYPE,
                 token=HF_TOKEN,
+                # Explicitly use cache_dir to avoid permission errors
+                cache_dir="/tmp/hf_cache",
                 local_dir=TEMP_DIR
             )
         )
@@ -145,12 +151,10 @@ async def sync_push_json(filename: str, data: dict):
         return
 
     try:
-        # Save to temp
         temp_path = os.path.join(TEMP_DIR, filename)
         with open(temp_path, "w", encoding="utf-8") as f:
             json.dump(data, f, indent=2)
         
-        # Upload
         loop = asyncio.get_event_loop()
         await loop.run_in_executor(
             None, 
@@ -170,7 +174,6 @@ async def sync_push_file(local_path: str, remote_path: str) -> bool:
     if not HF_TOKEN: 
         return False
         
-    # Verify file exists and is readable
     if not os.path.exists(local_path):
         logging.error(f"Upload failed: Local file not found at {local_path}")
         return False
@@ -187,7 +190,6 @@ async def sync_push_file(local_path: str, remote_path: str) -> bool:
                 commit_message=f"Add media {remote_path}"
             )
         )
-        # Small delay to let HF API catch up and prevent 429/File Lock issues
         await asyncio.sleep(2.0) 
         return True
     except Exception as e:
@@ -213,7 +215,6 @@ async def load_state_from_hf():
         ALBUM_CATEGORIES = dict(CONFIG_CACHE.get("album_categories", {}))
 
 async def save_index():
-    # Caller should hold lock usually, but atomic write helps
     await sync_push_json("index.json", INDEX_CACHE)
 
 async def save_config():
@@ -239,9 +240,8 @@ async def backfill_index_categories():
                 v["category"] = correct_category
                 changed = True
             
-            # Ensure allowed_divs exists
             if "allowed_divs" not in v:
-                v["allowed_divs"] = [] # Default to empty (Global)
+                v["allowed_divs"] = []
                 changed = True
 
         if changed:
@@ -293,10 +293,7 @@ async def get_asset_urls(base_url: str, guids: list) -> dict:
     return (await post_json("webasseturls", base_url, payload)).get("items", {})
 
 async def download_to_temp(url: str, filename: str) -> str:
-    # Use the explicitly created safe temp directory
     path = os.path.join(TEMP_DIR, filename)
-    
-    # Remove if exists to ensure clean slate
     if os.path.exists(path):
         os.remove(path)
 
@@ -306,7 +303,6 @@ async def download_to_temp(url: str, filename: str) -> str:
         with open(path, "wb") as f:
             async for chunk in r.aiter_bytes():
                 f.write(chunk)
-    
     return path
 
 # ==================================================
@@ -319,7 +315,7 @@ async def poll_album(token: str):
 
         metadata = await get_metadata(base_url)
         if not metadata:
-            return # Empty album, skip to prevent errors
+            return 
 
         guids = [p["photoGuid"] for p in metadata]
         if not guids:
@@ -355,13 +351,11 @@ async def poll_album(token: str):
             asset = assets[best["checksum"]]
             video_url = f"https://{asset['url_location']}{asset['url_path']}"
             
-            # --- PROCESS VIDEO ---
             temp_vid = await download_to_temp(video_url, f"{vid}.mp4")
             hf_vid_path = f"videos/{token}/{vid}.mp4"
             
             vid_success = await sync_push_file(temp_vid, hf_vid_path)
             
-            # Cleanup temp video safely
             try:
                 if os.path.exists(temp_vid):
                     os.remove(temp_vid)
@@ -369,9 +363,8 @@ async def poll_album(token: str):
                 logging.warning(f"Cleanup error for {vid}: {e}")
 
             if not vid_success:
-                continue # Skip entry if video upload failed
+                continue 
 
-            # --- PROCESS THUMBNAIL ---
             final_thumb_url = ""
             pf = derivatives.get("PosterFrame")
             if pf and pf.get("checksum") in assets:
@@ -383,7 +376,6 @@ async def poll_album(token: str):
                 
                 thumb_success = await sync_push_file(temp_thumb, hf_thumb_path)
                 
-                # Cleanup temp thumb safely
                 try:
                     if os.path.exists(temp_thumb):
                         os.remove(temp_thumb)
@@ -439,213 +431,16 @@ async def start_polling():
 # ==================================================
 @app.get("/feed/videos")
 async def get_video_feed(div: Optional[int] = Query(None, description="School Division (1-25)")):
-    """
-    Returns videos. 
-    If 'div' is provided, returns:
-      1. Videos with NO specific allowed_divs (Global).
-      2. Videos where 'div' is explicitly in allowed_divs.
-    """
     async with DATA_LOCK:
         videos = INDEX_CACHE.get("videos", [])
     
-    # If no div specified, return everything? Or everything that isn't restricted?
-    # Usually feed returns everything accessible.
     if div is None:
         return {"videos": videos}
 
-    # Validate Div
     if div not in VALID_DIVISIONS:
-        # If invalid div provided, maybe return empty or error? 
-        # For safety, let's return empty or just global ones.
         return {"videos": [v for v in videos if not v.get("allowed_divs")]}
 
     filtered_videos = []
     for v in videos:
         allowed = v.get("allowed_divs", [])
-        # Include if: No restrictions defined OR Div is in list
-        if not allowed or div in allowed:
-            filtered_videos.append(v)
-
-    return {"videos": filtered_videos}
-
-# ==================================================
-# ADMIN: LOGIN
-# ==================================================
-@app.get("/admin/login", response_class=HTMLResponse)
-async def admin_login_page():
-    if not admin_enabled():
-        return HTMLResponse("Admin disabled (ADMIN_KEY missing)", status_code=503)
-    return """
-    <html><body style="background:#111;color:#fff;display:flex;justify-content:center;align-items:center;height:100vh;font-family:sans-serif;">
-    <form method="post" style="padding:20px;border:1px solid #333;border-radius:10px;background:#1a1a1a;">
-    <h2>Admin</h2><input type="password" name="key" placeholder="Key" style="padding:10px;width:100%;margin-bottom:10px;">
-    <button style="padding:10px;width:100%;cursor:pointer;">Login</button>
-    </form></body></html>
-    """
-
-@app.post("/admin/login")
-async def admin_login(key: str = Form(...)):
-    if not admin_enabled() or not secure_equals(key.strip(), str(ADMIN_KEY).strip()):
-        return HTMLResponse("Unauthorized", status_code=401)
-    session = secrets.token_hex(16)
-    ADMIN_SESSIONS.add(session)
-    resp = RedirectResponse("/admin", status_code=302)
-    resp.set_cookie(ADMIN_COOKIE, session, httponly=True)
-    return resp
-
-@app.get("/admin/logout")
-async def admin_logout(req: Request):
-    if (s := req.cookies.get(ADMIN_COOKIE)) in ADMIN_SESSIONS: ADMIN_SESSIONS.remove(s)
-    return RedirectResponse("/admin/login")
-
-# ==================================================
-# ADMIN DASHBOARD
-# ==================================================
-def esc(v) -> str: return html_escape_lib.escape("" if v is None else str(v), quote=True)
-
-ADMIN_TEMPLATE = """
-<html>
-<head>
-<title>Admin</title>
-<style>
-body{font-family:sans-serif;background:#111;color:#ddd;padding:20px;}
-table{width:100%;border-collapse:collapse;margin-top:20px;}
-th,td{border-bottom:1px solid #333;padding:8px;text-align:left;}
-input{background:#222;border:1px solid #444;color:#fff;padding:5px;border-radius:4px;width:100%;}
-button{background:#444;color:#fff;border:none;padding:5px 10px;cursor:pointer;border-radius:4px;}
-.pill{padding:4px 8px;background:#004400;border-radius:10px;font-size:0.8em;}
-</style>
-</head>
-<body>
-<h1>Admin Panel <a href="/admin/logout" style="font-size:0.5em;color:#888;">Logout</a></h1>
-
-<h3>Albums</h3>
-<table>
-<tr><th>Token</th><th>Publisher</th><th>Category</th><th>Action</th></tr>
-__ALBUM_ROWS__
-<tr>
-<td><input id="n_t" placeholder="Token"></td>
-<td><input id="n_p" placeholder="Publisher"></td>
-<td><input id="n_c" placeholder="Category"></td>
-<td><button onclick="addAlbum()">Add</button></td>
-</tr>
-</table>
-
-<h3>Videos</h3>
-<p style="font-size:0.8em;color:#888;">Allowed Divs: Comma separated (e.g. <code>1,5,25</code>). Leave empty for ALL.</p>
-<table>
-<tr><th>ID</th><th>Name</th><th>Divs (1-25)</th><th>Category</th><th>Publisher</th><th>Action</th></tr>
-__VIDEO_ROWS__
-</table>
-
-<script>
-async function api(ep, data) {
-    await fetch(ep, {method:'POST', headers:{'Content-Type':'application/json'}, body:JSON.stringify(data)});
-    location.reload();
-}
-document.querySelectorAll('input[data-id]').forEach(i => {
-    i.addEventListener('change', (e) => api('/admin/update', {
-        id: e.target.dataset.id, 
-        field: e.target.dataset.field, 
-        value: e.target.value
-    }));
-});
-function addAlbum(){
-    api('/admin/albums/add', {
-        token: document.getElementById('n_t').value,
-        publisher: document.getElementById('n_p').value,
-        category: document.getElementById('n_c').value
-    });
-}
-</script>
-</body>
-</html>
-"""
-
-@app.get("/admin", response_class=HTMLResponse)
-async def admin_dash(req: Request):
-    if not is_admin(req): return RedirectResponse("/admin/login")
-    
-    async with DATA_LOCK:
-        videos = INDEX_CACHE.get("videos", [])
-        
-    v_rows = ""
-    for v in videos:
-        divs = ",".join(map(str, v.get("allowed_divs", [])))
-        v_rows += f"""<tr>
-        <td>{esc(v['id'])[:8]}...</td>
-        <td><input data-id="{v['id']}" data-field="name" value="{esc(v.get('name'))}"></td>
-        <td><input data-id="{v['id']}" data-field="allowed_divs" value="{esc(divs)}" placeholder="All"></td>
-        <td><input data-id="{v['id']}" data-field="category" value="{esc(v.get('category'))}"></td>
-        <td><input data-id="{v['id']}" data-field="publisher" value="{esc(v.get('publisher'))}"></td>
-        <td><button onclick="api('/admin/videos/delete', {{id:'{v['id']}'}})" style="background:#500;">Del</button></td>
-        </tr>"""
-
-    a_rows = ""
-    for t, p in ALBUM_PUBLISHERS.items():
-        c = ALBUM_CATEGORIES.get(t, "")
-        a_rows += f"<tr><td>{t}</td><td>{p}</td><td>{c}</td><td>-</td></tr>"
-
-    return ADMIN_TEMPLATE.replace("__VIDEO_ROWS__", v_rows).replace("__ALBUM_ROWS__", a_rows)
-
-# ==================================================
-# ADMIN ACTIONS
-# ==================================================
-@app.post("/admin/update")
-async def admin_update(req: Request, payload: dict):
-    if not is_admin(req): return JSONResponse({}, 403)
-    
-    vid_id = payload.get("id")
-    field = payload.get("field")
-    value = payload.get("value")
-    
-    async with DATA_LOCK:
-        for v in INDEX_CACHE["videos"]:
-            if v["id"] == vid_id:
-                if field == "allowed_divs":
-                    # Parse comma string to list of ints
-                    try:
-                        if not value.strip():
-                            v[field] = []
-                        else:
-                            # Filter only valid integers 1-25
-                            nums = [int(x.strip()) for x in value.split(",") if x.strip().isdigit()]
-                            v[field] = [n for n in nums if n in VALID_DIVISIONS]
-                    except:
-                        pass # Ignore bad input
-                else:
-                    v[field] = value
-                
-                await save_index()
-                return {"ok": True}
-    return {"error": "not found"}
-
-@app.post("/admin/videos/delete")
-async def admin_delete(req: Request, payload: dict):
-    if not is_admin(req): return JSONResponse({}, 403)
-    vid_id = payload.get("id")
-    
-    async with DATA_LOCK:
-        # We only remove from index. We don't delete actual files from HF to avoid complexity 
-        # (Git operations are heavy), but removing from index hides them from feed.
-        original_len = len(INDEX_CACHE["videos"])
-        INDEX_CACHE["videos"] = [v for v in INDEX_CACHE["videos"] if v["id"] != vid_id]
-        
-        if len(INDEX_CACHE["videos"]) < original_len:
-            await save_index()
-            
-    return {"ok": True}
-
-@app.post("/admin/albums/add")
-async def admin_album_add(req: Request, payload: dict):
-    if not is_admin(req): return JSONResponse({}, 403)
-    t = payload.get("token")
-    if t:
-        async with DATA_LOCK:
-            CONFIG_CACHE["album_publishers"][t] = payload.get("publisher", "Unknown")
-            CONFIG_CACHE["album_categories"][t] = payload.get("category", "Uncategorized")
-            global ALBUM_PUBLISHERS, ALBUM_CATEGORIES
-            ALBUM_PUBLISHERS = CONFIG_CACHE["album_publishers"]
-            ALBUM_CATEGORIES = CONFIG_CACHE["album_categories"]
-            await save_config()
-    return {"ok": True}
+        if not allowed or