Spaces:

holistic-ai
/

AgentGraph

Sleeping

wu981526092 commited on Sep 16, 2025

Commit

1331365

1 Parent(s): 2553f38

Implement dependency injection authentication system

- Create backend/dependencies/auth.py with FastAPI dependencies
- Replace middleware-based auth with dependency injection
- Add get_current_user_optional, get_current_user_required functions
- Add require_auth_in_hf_spaces dependency for route protection
- Update root route to use dependency injection auth
- This avoids session middleware compatibility issues
- Should work properly with SessionMiddleware

Files changed (3) hide show

backend/app.py +5 -4
backend/dependencies/__init__.py +25 -0
backend/dependencies/auth.py +128 -0

backend/app.py CHANGED Viewed

@@ -8,13 +8,14 @@ import os
 import secrets
 from pathlib import Path
 import sys
-from fastapi import FastAPI, Request, status
 from fastapi.staticfiles import StaticFiles
 from fastapi.middleware.cors import CORSMiddleware
 from starlette.middleware.sessions import SessionMiddleware
 from fastapi.responses import RedirectResponse, HTMLResponse
 from backend.middleware.auth import ConditionalAuthMiddleware
 from backend.middleware.usage_tracker import UsageTrackingMiddleware
 from utils.environment import should_enable_auth, debug_environment
@@ -127,9 +128,9 @@ async def shutdown_event():
 # Root redirect to React app (requires authentication)
 @app.get("/")
-async def root(request: Request):
-    # This endpoint will be protected by authentication middleware
-    # If user reaches here, they are authenticated
     return RedirectResponse(url="/agentgraph")

 import secrets
 from pathlib import Path
 import sys
+from fastapi import FastAPI, Request, status, Depends
 from fastapi.staticfiles import StaticFiles
 from fastapi.middleware.cors import CORSMiddleware
 from starlette.middleware.sessions import SessionMiddleware
 from fastapi.responses import RedirectResponse, HTMLResponse
 from backend.middleware.auth import ConditionalAuthMiddleware
 from backend.middleware.usage_tracker import UsageTrackingMiddleware
+from backend.dependencies.auth import require_auth_in_hf_spaces
 from utils.environment import should_enable_auth, debug_environment
 # Root redirect to React app (requires authentication)
 @app.get("/")
+async def root(request: Request, auth_check = Depends(require_auth_in_hf_spaces)):
+    # This endpoint is protected by dependency injection
+    # If user reaches here, they are authenticated (or in local dev)
     return RedirectResponse(url="/agentgraph")

backend/dependencies/__init__.py ADDED Viewed

	@@ -0,0 +1,25 @@

+"""
+Dependencies module for FastAPI dependency injection.
+"""
+from .auth import (
+    get_current_user_optional,
+    get_current_user_required,
+    get_current_user_with_bearer,
+    require_auth_in_hf_spaces,
+    CurrentUser,
+    OptionalUser,
+    APIUser,
+    RequireHFAuth
+)
+__all__ = [
+    "get_current_user_optional",
+    "get_current_user_required",
+    "get_current_user_with_bearer",
+    "require_auth_in_hf_spaces",
+    "CurrentUser",
+    "OptionalUser",
+    "APIUser",
+    "RequireHFAuth"
+]

backend/dependencies/auth.py ADDED Viewed

	@@ -0,0 +1,128 @@

+"""
+Authentication Dependencies for FastAPI
+This module provides authentication dependencies that can be used
+with FastAPI's dependency injection system instead of middleware.
+"""
+import logging
+from typing import Optional, Dict, Any
+from fastapi import Request, HTTPException, Depends
+from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
+from utils.environment import should_enable_auth, get_oauth_config, is_huggingface_space
+logger = logging.getLogger(__name__)
+# Optional security scheme for Bearer tokens
+security = HTTPBearer(auto_error=False)
+def get_current_user_optional(request: Request) -> Optional[Dict[str, Any]]:
+    """
+    Get current user from session, but don't raise error if not found.
+    Used for endpoints where authentication is optional.
+    """
+    if not should_enable_auth():
+        logger.debug("🏠 Auth disabled - no user required")
+        return None
+    # Try to get user from session
+    try:
+        user = request.session.get("user")
+        if user:
+            logger.info(f"🔓 Found authenticated user: {user.get('username', 'unknown')}")
+            return user
+        else:
+            logger.debug("🔍 No user found in session")
+            return None
+    except Exception as e:
+        logger.error(f"Session access failed: {e}")
+        return None
+def get_current_user_required(request: Request) -> Dict[str, Any]:
+    """
+    Get current user from session, raise HTTPException if not authenticated.
+    Used for endpoints that require authentication.
+    """
+    if not should_enable_auth():
+        logger.debug("🏠 Auth disabled - returning mock user")
+        return {
+            "id": "local_dev",
+            "username": "local_user",
+            "name": "Local Development User",
+            "auth_method": "local_dev"
+        }
+    user = get_current_user_optional(request)
+    if not user:
+        logger.warning(f"🚫 Authentication required for {request.url.path}")
+        raise HTTPException(
+            status_code=401,
+            detail={
+                "error": "Authentication required",
+                "message": "Please log in with your Hugging Face account",
+                "login_url": "/auth/login"
+            }
+        )
+    return user
+def get_current_user_with_bearer(
+    request: Request,
+    credentials: Optional[HTTPAuthorizationCredentials] = Depends(security)
+) -> Optional[Dict[str, Any]]:
+    """
+    Get current user from session or Bearer token.
+    Used for API endpoints that might accept both session and token auth.
+    """
+    # First try session authentication
+    user = get_current_user_optional(request)
+    if user:
+        return user
+    # If no session user, try Bearer token (for API access)
+    if credentials and is_huggingface_space():
+        # In a full implementation, validate this token with HF API
+        # For now, assume it's valid if present in HF environment
+        logger.info("🔑 User authenticated via Bearer token")
+        return {
+            "id": "bearer_auth",
+            "username": "api_user",
+            "name": "API User",
+            "auth_method": "bearer_token",
+            "token": credentials.credentials
+        }
+    return None
+# Convenience aliases for common use cases
+CurrentUser = Depends(get_current_user_required)
+OptionalUser = Depends(get_current_user_optional)
+APIUser = Depends(get_current_user_with_bearer)
+def require_auth_in_hf_spaces(request: Request) -> None:
+    """
+    Dependency that enforces authentication only in HF Spaces.
+    Raises 401 if in HF Spaces and user is not authenticated.
+    """
+    if should_enable_auth():
+        user = get_current_user_optional(request)
+        if not user:
+            logger.warning(f"🚫 HF Spaces requires authentication for {request.url.path}")
+            raise HTTPException(
+                status_code=401,
+                detail={
+                    "error": "Authentication required in Hugging Face Spaces",
+                    "message": "Please log in to access this service",
+                    "login_url": "/auth/login-page",
+                    "reason": "This prevents abuse of OpenAI resources"
+                }
+            )
+# Dependency alias for route protection
+RequireHFAuth = Depends(require_auth_in_hf_spaces)