update: reverted local changes

app/api/auth/callback/route.js

@@ -14,8 +14,11 @@ export async function GET(request) {
         return NextResponse.json({ error: 'Missing code parameter' }, { status: 400 });
     }
 
-    // Note: state verification skipped — cookies don't survive HF iframe redirects.
-    // Security is handled by the ALLOWED_USERS allowlist instead.
+    // Verify state
+    const savedState = request.cookies.get('oauth_state')?.value;
+    if (!savedState || savedState !== state) {
+        return NextResponse.json({ error: 'Invalid state parameter' }, { status: 400 });
+    }
 
     const clientId = process.env.OAUTH_CLIENT_ID;
     const clientSecret = process.env.OAUTH_CLIENT_SECRET;
@@ -90,7 +93,8 @@ export async function GET(request) {
             path: '/',
         });
 
-
+        // Clear the state cookie
+        response.cookies.delete('oauth_state');
 
         return response;
     } catch (error) {

app/api/auth/login/route.js

@@ -1,4 +1,5 @@
 import { NextResponse } from 'next/server';
+import crypto from 'crypto';
 
 /**
  * GET /api/auth/login
@@ -19,14 +20,28 @@ export async function GET(request) {
         : 'http://localhost:3000';
     const redirectUri = `${host}/api/auth/callback`;
 
+    // Generate state for CSRF protection
+    const state = crypto.randomBytes(16).toString('hex');
+
     const params = new URLSearchParams({
         client_id: clientId,
         redirect_uri: redirectUri,
         scope: 'openid profile',
         response_type: 'code',
+        state: state,
     });
 
     const authorizeUrl = `https://huggingface.co/oauth/authorize?${params.toString()}`;
 
-    return NextResponse.redirect(authorizeUrl);
+    // Set state in a cookie for verification on callback
+    const response = NextResponse.redirect(authorizeUrl);
+    response.cookies.set('oauth_state', state, {
+        httpOnly: true,
+        secure: true,
+        sameSite: 'lax',
+        maxAge: 300, // 5 minutes
+        path: '/',
+    });
+
+    return response;
 }

app/api/documents/route.js

@@ -1,71 +1,7 @@
 import { HF_DATASET_BASE_URL, MAX_DOCS_TO_SCAN } from '../../../utils/config.js';
 
-const isHFSpace = () => process.env.HF_TOKEN && process.env.NODE_ENV !== 'development';
-
-/**
- * Load annotator assignments config.
- * Supports both local file and HF fetch.
- */
-async function loadAssignments() {
+export async function GET() {
     try {
-        if (isHFSpace()) {
-            const url = `${HF_DATASET_BASE_URL}/raw/main/annotation_data/annotator_assignments.json`;
-            const res = await fetch(url, {
-                headers: { 'Authorization': `Bearer ${process.env.HF_TOKEN}` },
-            });
-            if (res.ok) return await res.json();
-        } else {
-            const fs = await import('fs');
-            const path = await import('path');
-            const filePath = path.default.join(process.cwd(), 'annotator_assignments.json');
-            if (fs.default.existsSync(filePath)) {
-                return JSON.parse(fs.default.readFileSync(filePath, 'utf-8'));
-            }
-        }
-    } catch (e) {
-        console.warn('Could not load annotator assignments:', e.message);
-    }
-    return null;
-}
-
-/**
- * Get the set of allowed doc indices for a user.
- * Returns null if no assignments (= show all).
- */
-function getAllowedDocs(assignments, username) {
-    if (!assignments || !username) return null;
-
-    const userConfig = assignments[username] || assignments[username.toLowerCase()];
-    if (!userConfig) return null;
-
-    const allowed = new Set();
-
-    // Explicit list: "docs": [1, 2, 3]
-    if (userConfig.docs) {
-        userConfig.docs.forEach(d => allowed.add(d));
-    }
-
-    // Range: "docs_range": [10, 100]  (inclusive)
-    if (userConfig.docs_range) {
-        const [start, end] = userConfig.docs_range;
-        for (let i = start; i <= end; i++) {
-            allowed.add(i);
-        }
-    }
-
-    return allowed.size > 0 ? allowed : null;
-}
-
-export async function GET(request) {
-    try {
-        // Get username from query param
-        const { searchParams } = new URL(request.url);
-        const username = searchParams.get('user');
-
-        // Load assignments
-        const assignments = await loadAssignments();
-        const allowedDocs = getAllowedDocs(assignments, username);
-
         // Fetch the index file from HF Datasets
         const linksUrl = `${HF_DATASET_BASE_URL}/raw/main/annotation_data/wbg_data/wbg_pdf_links.json`;
         const linksRes = await fetch(linksUrl, {
@@ -85,18 +21,10 @@ export async function GET(request) {
 
         const links = await linksRes.json();
 
-        // Filter to successful links
-        let successLinks = links.filter(l => l.status === 'success');
-
-        // If user has assignments, filter to allowed docs only
-        if (allowedDocs) {
-            successLinks = successLinks.filter(l => allowedDocs.has(l.index));
-        } else {
-            // No assignments — take first N
-            successLinks = successLinks.slice(0, MAX_DOCS_TO_SCAN);
-        }
+        // Filter to successful links and take the first N
+        const successLinks = links.filter(l => l.status === 'success').slice(0, MAX_DOCS_TO_SCAN);
 
-        // Parallel fetch
+        // Parallel fetch — much faster than sequential scanning
         const results = await Promise.allSettled(
             successLinks.map(async (link) => {
                 const docUrl = `${HF_DATASET_BASE_URL}/raw/main/annotation_data/wbg_extractions/doc_${link.index}/raw/doc_${link.index}_direct_judged.jsonl`;
@@ -130,7 +58,7 @@ export async function GET(request) {
             status: 200,
             headers: {
                 'Content-Type': 'application/json',
-                'Cache-Control': 'no-store'
+                'Cache-Control': 'public, s-maxage=3600, stale-while-revalidate=59'
             }
         });
     } catch (error) {

app/globals.css

@@ -94,55 +94,6 @@ h4 {
   background: var(--accent-hover);
 }
 
-/* ── Login Gate ───────────────────────────────── */
-
-.login-gate {
-  display: flex;
-  align-items: center;
-  justify-content: center;
-  width: 100%;
-  height: 100vh;
-  background: var(--bg-color);
-}
-
-.login-card {
-  text-align: center;
-  background: var(--pane-bg);
-  border: 1px solid var(--border-color);
-  border-radius: 16px;
-  padding: 48px 40px;
-  max-width: 420px;
-  box-shadow: 0 8px 32px rgba(0, 0, 0, 0.4);
-}
-
-.login-card h1 {
-  font-size: 1.6rem;
-  margin-bottom: 12px;
-}
-
-.login-card p {
-  color: #94a3b8;
-  margin-bottom: 28px;
-  line-height: 1.5;
-}
-
-.btn-login-large {
-  display: inline-block;
-  font-size: 1rem;
-  font-weight: 700;
-  color: #fff;
-  background: var(--accent);
-  padding: 12px 28px;
-  border-radius: 10px;
-  text-decoration: none;
-  transition: background 0.2s, transform 0.1s;
-}
-
-.btn-login-large:hover {
-  background: var(--accent-hover);
-  transform: translateY(-1px);
-}
-
 .container {
   display: flex;
   width: 100%;

app/page.js

@@ -43,33 +43,9 @@ export default function Home() {
     const annotatablePages = currentDoc?.annotatable_pages ?? [];
     const currentPageNumber = annotatablePages[pageIdx] ?? null;
 
-    // Read HF OAuth cookie and load assigned documents
+    // Load documents on mount
     useEffect(() => {
-        // 1. Read username from cookie
-        let username = '';
-        try {
-            const cookie = document.cookie
-                .split('; ')
-                .find(c => c.startsWith('hf_user='));
-            if (cookie) {
-                const user = JSON.parse(decodeURIComponent(cookie.split('=').slice(1).join('=')));
-                if (user.username) {
-                    username = user.username;
-                    setAnnotatorName(user.username);
-                }
-            }
-        } catch (e) {
-            console.warn('Could not read hf_user cookie', e);
-        }
-
-        // Not signed in — don't fetch anything, show login screen
-        if (!username) {
-            setLoading(false);
-            return;
-        }
-
-        // 2. Fetch documents (filtered by user)
-        fetch(`/api/documents?user=${encodeURIComponent(username)}`)
+        fetch('/api/documents')
             .then(res => res.json())
             .then(data => {
                 setDocuments(data);
@@ -85,6 +61,23 @@ export default function Home() {
             });
     }, []);
 
+    // Read HF OAuth cookie for annotator identity
+    useEffect(() => {
+        try {
+            const cookie = document.cookie
+                .split('; ')
+                .find(c => c.startsWith('hf_user='));
+            if (cookie) {
+                const user = JSON.parse(decodeURIComponent(cookie.split('=').slice(1).join('=')));
+                if (user.username) {
+                    setAnnotatorName(user.username);
+                }
+            }
+        } catch (e) {
+            console.warn('Could not read hf_user cookie', e);
+        }
+    }, []);
+
     // Update currentDoc when selection changes
     useEffect(() => {
         if (selectedDocIndex !== null) {
@@ -360,21 +353,6 @@ export default function Home() {
         );
     }
 
-    // Gate: require login
-    if (!annotatorName) {
-        return (
-            <div className="login-gate">
-                <div className="login-card">
-                    <h1>🏷️ Annotation Tool</h1>
-                    <p>Sign in with your Hugging Face account to start annotating.</p>
-                    <a href="/api/auth/login" className="btn btn-login-large">
-                        🤗 Sign in with Hugging Face
-                    </a>
-                </div>
-            </div>
-        );
-    }
-
     return (
         <div className="app-wrapper">
             {/* Top bar with user identity */}