Spaces:
Sleeping
Sleeping
Commit ·
c796a00
1
Parent(s): 1d1b529
fix: remove OAuth state verification (cookies don't survive HF iframe redirect)
Browse files
app/api/auth/callback/route.js
CHANGED
|
@@ -14,12 +14,6 @@ export async function GET(request) {
|
|
| 14 |
return NextResponse.json({ error: 'Missing code parameter' }, { status: 400 });
|
| 15 |
}
|
| 16 |
|
| 17 |
-
// Verify state
|
| 18 |
-
const savedState = request.cookies.get('oauth_state')?.value;
|
| 19 |
-
if (!savedState || savedState !== state) {
|
| 20 |
-
return NextResponse.json({ error: 'Invalid state parameter' }, { status: 400 });
|
| 21 |
-
}
|
| 22 |
-
|
| 23 |
const clientId = process.env.OAUTH_CLIENT_ID;
|
| 24 |
const clientSecret = process.env.OAUTH_CLIENT_SECRET;
|
| 25 |
|
|
@@ -93,8 +87,6 @@ export async function GET(request) {
|
|
| 93 |
path: '/',
|
| 94 |
});
|
| 95 |
|
| 96 |
-
// Clear the state cookie
|
| 97 |
-
response.cookies.delete('oauth_state');
|
| 98 |
|
| 99 |
return response;
|
| 100 |
} catch (error) {
|
|
|
|
| 14 |
return NextResponse.json({ error: 'Missing code parameter' }, { status: 400 });
|
| 15 |
}
|
| 16 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17 |
const clientId = process.env.OAUTH_CLIENT_ID;
|
| 18 |
const clientSecret = process.env.OAUTH_CLIENT_SECRET;
|
| 19 |
|
|
|
|
| 87 |
path: '/',
|
| 88 |
});
|
| 89 |
|
|
|
|
|
|
|
| 90 |
|
| 91 |
return response;
|
| 92 |
} catch (error) {
|
app/api/auth/login/route.js
CHANGED
|
@@ -20,7 +20,6 @@ export async function GET(request) {
|
|
| 20 |
: 'http://localhost:3000';
|
| 21 |
const redirectUri = `${host}/api/auth/callback`;
|
| 22 |
|
| 23 |
-
// Generate state for CSRF protection
|
| 24 |
const state = crypto.randomBytes(16).toString('hex');
|
| 25 |
|
| 26 |
const params = new URLSearchParams({
|
|
@@ -28,20 +27,9 @@ export async function GET(request) {
|
|
| 28 |
redirect_uri: redirectUri,
|
| 29 |
scope: 'openid profile',
|
| 30 |
response_type: 'code',
|
| 31 |
-
state
|
| 32 |
});
|
| 33 |
|
| 34 |
const authorizeUrl = `https://huggingface.co/oauth/authorize?${params.toString()}`;
|
| 35 |
-
|
| 36 |
-
// Set state in a cookie for verification on callback
|
| 37 |
-
const response = NextResponse.redirect(authorizeUrl);
|
| 38 |
-
response.cookies.set('oauth_state', state, {
|
| 39 |
-
httpOnly: true,
|
| 40 |
-
secure: true,
|
| 41 |
-
sameSite: 'lax',
|
| 42 |
-
maxAge: 300, // 5 minutes
|
| 43 |
-
path: '/',
|
| 44 |
-
});
|
| 45 |
-
|
| 46 |
-
return response;
|
| 47 |
}
|
|
|
|
| 20 |
: 'http://localhost:3000';
|
| 21 |
const redirectUri = `${host}/api/auth/callback`;
|
| 22 |
|
|
|
|
| 23 |
const state = crypto.randomBytes(16).toString('hex');
|
| 24 |
|
| 25 |
const params = new URLSearchParams({
|
|
|
|
| 27 |
redirect_uri: redirectUri,
|
| 28 |
scope: 'openid profile',
|
| 29 |
response_type: 'code',
|
| 30 |
+
state,
|
| 31 |
});
|
| 32 |
|
| 33 |
const authorizeUrl = `https://huggingface.co/oauth/authorize?${params.toString()}`;
|
| 34 |
+
return NextResponse.redirect(authorizeUrl);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 35 |
}
|