Fix HF Spaces authentication: support __sign parameter and make auth optional

backend/middleware/auth.py

@@ -75,15 +75,20 @@ class ConditionalAuthMiddleware(BaseHTTPMiddleware):
         # Check user authentication
         user = await self._get_current_user(request)
         if not user:
-            # For API calls, return JSON error
-            if request.url.path.startswith("/api/"):
-                return JSONResponse(
-                    status_code=401,
-                    content={"error": "Authentication required", "login_url": "/auth/login"}
-                )
+            # In HF Spaces, if OAuth is configured but user is not authenticated,
+            # we can still allow access but with limited functionality
+            # This makes the auth "optional" rather than "required"
             
-            # For web requests, redirect to login
-            return RedirectResponse(url="/auth/login", status_code=302)
+            # For now, let's allow access but log the unauthenticated state
+            logger.info(f"Unauthenticated access to {request.url.path} in HF Spaces")
+            
+            # You can uncomment these lines to make auth strictly required:
+            # if request.url.path.startswith("/api/"):
+            #     return JSONResponse(
+            #         status_code=401,
+            #         content={"error": "Authentication required", "login_url": "/auth/login"}
+            #     )
+            # return RedirectResponse(url="/auth/login", status_code=302)
         
         # Add user info to request state
         request.state.user = user
@@ -100,23 +105,48 @@ class ConditionalAuthMiddleware(BaseHTTPMiddleware):
         """
         Get current user from session or token.
         
-        In a full implementation, this would:
-        1. Check session cookies
-        2. Validate JWT tokens
-        3. Call HF API to verify user info
-        
-        For now, we'll implement a basic session check.
+        For HF Spaces, we check:
+        1. Session cookies (our own auth)
+        2. HF __sign parameter (HF pre-auth)
+        3. Authorization header
         """
-        # Check if user info is in session
+        # Check if user info is in session (our own auth)
         user = request.session.get("user") if hasattr(request, "session") else None
         
+        # In HF Spaces, check for __sign parameter which indicates HF has pre-authenticated the user
+        if not user and is_huggingface_space():
+            sign_param = request.query_params.get("__sign")
+            if sign_param:
+                # HF has authenticated the user via __sign parameter
+                # We'll create a basic user object to indicate authentication
+                user = {
+                    "id": "hf_authenticated",
+                    "name": "HF User", 
+                    "username": "hf_user",
+                    "email": None,
+                    "avatar_url": None,
+                    "auth_method": "hf_sign"
+                }
+                # Store in session for future requests
+                if hasattr(request, "session"):
+                    request.session["user"] = user
+                logger.info("User authenticated via HF __sign parameter")
+        
         # Check Authorization header as fallback
         if not user:
             auth_header = request.headers.get("Authorization")
             if auth_header and auth_header.startswith("Bearer "):
                 # In a full implementation, validate this token with HF API
-                # For now, we'll assume it's valid if present
-                pass
+                # For now, we'll assume it's valid if present in HF environment
+                if is_huggingface_space():
+                    user = {
+                        "id": "hf_bearer_auth",
+                        "name": "HF Bearer User",
+                        "username": "hf_bearer_user", 
+                        "email": None,
+                        "avatar_url": None,
+                        "auth_method": "bearer_token"
+                    }
         
         return user
     

backend/routers/auth.py

@@ -19,14 +19,22 @@ router = APIRouter(prefix="/auth", tags=["authentication"])
 
 
 @router.get("/status")
-async def auth_status():
+async def auth_status(request: Request):
     """Get authentication status and configuration."""
     config = get_oauth_config()
+    user = getattr(request.state, "user", None) or (request.session.get("user") if hasattr(request, "session") else None)
+    
     return {
         "auth_enabled": should_enable_auth(),
         "environment": "huggingface_spaces" if is_huggingface_space() else "local_development",
         "oauth_available": bool(config),
-        "login_required": should_enable_auth() and bool(config),
+        "login_required": False,  # Set to optional for now
+        "user_authenticated": bool(user),
+        "user_info": {
+            "auth_method": user.get("auth_method") if user else None,
+            "username": user.get("username") if user else None,
+        } if user else None,
+        "hf_sign_detected": bool(request.query_params.get("__sign")) if is_huggingface_space() else False,
     }
 
 
@@ -173,6 +181,8 @@ async def get_current_user(request: Request):
         "username": user.get("username"),
         "email": user.get("email"),
         "avatar_url": user.get("avatar_url"),
+        "auth_method": user.get("auth_method", "unknown"),
+        "authenticated": True,
     }