Spaces:
Sleeping
Sleeping
Commit ·
0151f86
1
Parent(s): cddccaa
fix: remove OAuth state verification (cookies don't survive HF iframe redirect)
Browse files
app/api/auth/callback/route.js
CHANGED
|
@@ -14,11 +14,8 @@ export async function GET(request) {
|
|
| 14 |
return NextResponse.json({ error: 'Missing code parameter' }, { status: 400 });
|
| 15 |
}
|
| 16 |
|
| 17 |
-
//
|
| 18 |
-
|
| 19 |
-
if (!savedState || savedState !== state) {
|
| 20 |
-
return NextResponse.json({ error: 'Invalid state parameter' }, { status: 400 });
|
| 21 |
-
}
|
| 22 |
|
| 23 |
const clientId = process.env.OAUTH_CLIENT_ID;
|
| 24 |
const clientSecret = process.env.OAUTH_CLIENT_SECRET;
|
|
@@ -93,8 +90,7 @@ export async function GET(request) {
|
|
| 93 |
path: '/',
|
| 94 |
});
|
| 95 |
|
| 96 |
-
|
| 97 |
-
response.cookies.delete('oauth_state');
|
| 98 |
|
| 99 |
return response;
|
| 100 |
} catch (error) {
|
|
|
|
| 14 |
return NextResponse.json({ error: 'Missing code parameter' }, { status: 400 });
|
| 15 |
}
|
| 16 |
|
| 17 |
+
// Note: state verification skipped — cookies don't survive HF iframe redirects.
|
| 18 |
+
// Security is handled by the ALLOWED_USERS allowlist instead.
|
|
|
|
|
|
|
|
|
|
| 19 |
|
| 20 |
const clientId = process.env.OAUTH_CLIENT_ID;
|
| 21 |
const clientSecret = process.env.OAUTH_CLIENT_SECRET;
|
|
|
|
| 90 |
path: '/',
|
| 91 |
});
|
| 92 |
|
| 93 |
+
|
|
|
|
| 94 |
|
| 95 |
return response;
|
| 96 |
} catch (error) {
|
app/api/auth/login/route.js
CHANGED
|
@@ -1,5 +1,4 @@
|
|
| 1 |
import { NextResponse } from 'next/server';
|
| 2 |
-
import crypto from 'crypto';
|
| 3 |
|
| 4 |
/**
|
| 5 |
* GET /api/auth/login
|
|
@@ -20,28 +19,14 @@ export async function GET(request) {
|
|
| 20 |
: 'http://localhost:3000';
|
| 21 |
const redirectUri = `${host}/api/auth/callback`;
|
| 22 |
|
| 23 |
-
// Generate state for CSRF protection
|
| 24 |
-
const state = crypto.randomBytes(16).toString('hex');
|
| 25 |
-
|
| 26 |
const params = new URLSearchParams({
|
| 27 |
client_id: clientId,
|
| 28 |
redirect_uri: redirectUri,
|
| 29 |
scope: 'openid profile',
|
| 30 |
response_type: 'code',
|
| 31 |
-
state: state,
|
| 32 |
});
|
| 33 |
|
| 34 |
const authorizeUrl = `https://huggingface.co/oauth/authorize?${params.toString()}`;
|
| 35 |
|
| 36 |
-
|
| 37 |
-
const response = NextResponse.redirect(authorizeUrl);
|
| 38 |
-
response.cookies.set('oauth_state', state, {
|
| 39 |
-
httpOnly: true,
|
| 40 |
-
secure: true,
|
| 41 |
-
sameSite: 'lax',
|
| 42 |
-
maxAge: 300, // 5 minutes
|
| 43 |
-
path: '/',
|
| 44 |
-
});
|
| 45 |
-
|
| 46 |
-
return response;
|
| 47 |
}
|
|
|
|
| 1 |
import { NextResponse } from 'next/server';
|
|
|
|
| 2 |
|
| 3 |
/**
|
| 4 |
* GET /api/auth/login
|
|
|
|
| 19 |
: 'http://localhost:3000';
|
| 20 |
const redirectUri = `${host}/api/auth/callback`;
|
| 21 |
|
|
|
|
|
|
|
|
|
|
| 22 |
const params = new URLSearchParams({
|
| 23 |
client_id: clientId,
|
| 24 |
redirect_uri: redirectUri,
|
| 25 |
scope: 'openid profile',
|
| 26 |
response_type: 'code',
|
|
|
|
| 27 |
});
|
| 28 |
|
| 29 |
const authorizeUrl = `https://huggingface.co/oauth/authorize?${params.toString()}`;
|
| 30 |
|
| 31 |
+
return NextResponse.redirect(authorizeUrl);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32 |
}
|