Add 'itsdangerous' dependency for session management and enhance OAuth configuration with scope validation and warnings for unsupported scopes in Hugging Face Spaces.

pyproject.toml

@@ -30,6 +30,7 @@ dependencies = [
     "uvicorn>=0.34.0",            # ✅ 核心 
     "httpx>=0.27.0",              # ✅ 核心
     "python-multipart>=0.0.6,<1.0.0",  # ✅ 核心
+    "itsdangerous>=2.0.0",        # ✅ Session middleware dependency
     
     # ===== 数据层 =====
     "sqlalchemy>=2.0.0",         # ✅ 核心 (36+ 使用)

utils/environment.py

@@ -78,10 +78,26 @@ def get_oauth_config() -> Optional[Dict[str, str]]:
     if not should_enable_auth():
         return None
         
+    # Get scopes with fallback to HF-compatible default
+    scopes = os.getenv("OAUTH_SCOPES", "read-repos")
+    
+    # Warn about unsupported scopes for HF Spaces
+    if is_huggingface_space():
+        unsupported_scopes = []
+        for scope in scopes.split():
+            if scope not in ["email", "read-repos", "write-repos", "manage-repos", 
+                           "read-mcp", "write-discussions", "read-billing", 
+                           "inference-api", "jobs", "webhooks"]:
+                unsupported_scopes.append(scope)
+        
+        if unsupported_scopes:
+            print(f"⚠️ Warning: Unsupported OAuth scopes detected: {unsupported_scopes}")
+            print("📝 Supported HF scopes: email, read-repos, write-repos, manage-repos, read-mcp, write-discussions, read-billing, inference-api, jobs, webhooks")
+        
     oauth_config = {
         "client_id": os.getenv("OAUTH_CLIENT_ID"),
         "client_secret": os.getenv("OAUTH_CLIENT_SECRET"),
-        "scopes": os.getenv("OAUTH_SCOPES", "read-repos"),
+        "scopes": scopes,
         "provider_url": os.getenv("OPENID_PROVIDER_URL", "https://huggingface.co"),
     }