update

Dockerfile

@@ -29,4 +29,5 @@ EXPOSE 7860
 # Set PYTHONPATH to include backend directory
 ENV PYTHONPATH=/app/backend:$PYTHONPATH
 
-CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "7860", "--app-dir", "/app/backend"]
+# --proxy-headers: X-Forwarded-Proto/Host from Hugging Face edge so OAuth redirect_uri is https://
+CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "7860", "--app-dir", "/app/backend", "--proxy-headers"]

SETUP.md

@@ -61,7 +61,9 @@
    export SESSION_SECRET=$(openssl rand -hex 32)
    ```
 
-   For HTTPS deployments (e.g. Hugging Face Spaces), also set `HTTPS_ONLY_COOKIES=1` and add your public origin to `CORS_ORIGINS` if the browser origin differs from the API host.
+   For **Hugging Face Spaces**, set `FRONTEND_ORIGIN` to **`https://`**, e.g. `https://your-space.hf.space` (not `http://`). Google’s OAuth policy rejects `http://` redirect URIs for public hosts; the **Authorized redirect URI** in Google Cloud must be the **https** callback, e.g. `https://your-space.hf.space/api/auth/google/callback`.
+
+   For HTTPS deployments, also set `HTTPS_ONLY_COOKIES=1` and add your public origin to `CORS_ORIGINS` if the browser origin differs from the API host.
 
 3. **Run Backend**:
    ```bash

backend/app/auth_routes.py

@@ -25,22 +25,57 @@ def _client_configured() -> bool:
     return bool(os.environ.get("GOOGLE_CLIENT_ID", "").strip() and os.environ.get("GOOGLE_CLIENT_SECRET", "").strip())
 
 
+def _normalize_https_public_origin(origin: str) -> str:
+    """Spaces like Hugging Face are always HTTPS; fix http:// saved by mistake or bad defaults."""
+    o = origin.strip().rstrip("/")
+    if o.startswith("http://") and ".hf.space" in o:
+        return "https://" + o[7:]
+    return o
+
+
+def _public_request_base(request: Request) -> str:
+    """
+    Browser-facing origin (scheme + host, no path). Uses proxy headers so OAuth redirect_uri
+    is https://... behind Hugging Face / nginx (request.base_url alone is often http:// internally).
+    """
+    fwd_proto = request.headers.get("x-forwarded-proto")
+    if fwd_proto:
+        proto = fwd_proto.split(",")[0].strip().lower()
+    else:
+        proto = (request.url.scheme or "http").lower()
+
+    fwd_host = request.headers.get("x-forwarded-host")
+    if fwd_host:
+        host = fwd_host.split(",")[0].strip()
+    else:
+        host = request.headers.get("host") or request.url.netloc or ""
+
+    if host:
+        # Use Host / X-Forwarded-Host as-is (keeps localhost:5173 for dev proxy).
+        base = f"{proto}://{host}" if proto else f"https://{host}"
+        base = _normalize_https_public_origin(base)
+        return base.rstrip("/")
+
+    base = str(request.base_url).rstrip("/")
+    return _normalize_https_public_origin(base)
+
+
 def _redirect_uri(request: Request) -> str:
     """Callback URL; must match an entry in Google Cloud Console → OAuth client."""
     explicit = os.environ.get("GOOGLE_REDIRECT_URI", "").strip()
     if explicit:
-        return explicit
+        return _normalize_https_public_origin(explicit)
     fe = os.environ.get("FRONTEND_ORIGIN", "").strip()
     if fe:
-        return fe.rstrip("/") + "/api/auth/google/callback"
-    return str(request.base_url).rstrip("/") + "/api/auth/google/callback"
+        return _normalize_https_public_origin(fe) + "/api/auth/google/callback"
+    return _public_request_base(request) + "/api/auth/google/callback"
 
 
 def _post_login_url(request: Request) -> str:
     fe = os.environ.get("FRONTEND_ORIGIN", "").strip()
     if fe:
-        return fe.rstrip("/") + "/"
-    return str(request.base_url).rstrip("/") + "/"
+        return _normalize_https_public_origin(fe) + "/"
+    return _public_request_base(request) + "/"
 
 
 @router.get("/status")