Fix OAuth according to HF official documentation

Based on https://huggingface.co/docs/hub/en/spaces-oauth:

1. Fix OAuth scopes:
- Include 'openid profile' as required by HF
- These are automatically included but we specify them explicitly

2. Use SPACE_HOST environment variable:
- Official recommended way to get redirect URI
- Fallback to manual construction if not available

3. Update README.md with proper HF OAuth configuration

This should fix the session/cookie issues we've been experiencing.

README.md

@@ -8,6 +8,7 @@ pinned: false
 license: mit
 app_port: 7860
 hf_oauth: true
+# HF automatically includes 'openid profile', we add specific scopes we need
 hf_oauth_scopes:
   - read-repos
 hf_oauth_expiration_minutes: 480

backend/routers/auth.py

@@ -71,17 +71,22 @@ async def login(request: Request):
         logger.error(f"Failed to save OAuth state: {e}")
         raise HTTPException(status_code=500, detail="Session configuration error")
     
-    # Get the current host for redirect URI
-    base_url = str(request.base_url).rstrip('/')
-    
-    # Fix for HF Spaces domain format
+    # Get the current host for redirect URI (HF official way)
     if is_huggingface_space():
-        # HF Spaces uses holistic-ai-agentgraph.hf.space format
-        space_id = os.getenv("SPACE_ID", "")
-        if space_id:
-            # Convert "holistic-ai/AgentGraph" to "holistic-ai-agentgraph.hf.space"
-            space_domain = space_id.replace("/", "-").lower()
-            base_url = f"https://{space_domain}.hf.space"
+        # Use SPACE_HOST as recommended by HF docs
+        space_host = os.getenv("SPACE_HOST")
+        if space_host:
+            base_url = f"https://{space_host}"
+        else:
+            # Fallback to manual construction
+            space_id = os.getenv("SPACE_ID", "")
+            if space_id:
+                space_domain = space_id.replace("/", "-").lower()
+                base_url = f"https://{space_domain}.hf.space"
+            else:
+                base_url = str(request.base_url).rstrip('/')
+    else:
+        base_url = str(request.base_url).rstrip('/')
         
     redirect_uri = f"{base_url}/auth/callback"
     
@@ -130,15 +135,23 @@ async def oauth_callback(request: Request, code: str, state: str):
         logger.info("✅ OAuth state verification successful")
     
     # Exchange code for tokens
-    base_url = str(request.base_url).rstrip('/')
-    
-    # Fix for HF Spaces domain format
+    # Get the current host for redirect URI (HF official way)
     if is_huggingface_space():
-        space_id = os.getenv("SPACE_ID", "")
-        if space_id:
-            space_domain = space_id.replace("/", "-").lower()
-            base_url = f"https://{space_domain}.hf.space"
-            
+        # Use SPACE_HOST as recommended by HF docs
+        space_host = os.getenv("SPACE_HOST")
+        if space_host:
+            base_url = f"https://{space_host}"
+        else:
+            # Fallback to manual construction
+            space_id = os.getenv("SPACE_ID", "")
+            if space_id:
+                space_domain = space_id.replace("/", "-").lower()
+                base_url = f"https://{space_domain}.hf.space"
+            else:
+                base_url = str(request.base_url).rstrip('/')
+    else:
+        base_url = str(request.base_url).rstrip('/')
+        
     redirect_uri = f"{base_url}/auth/callback"
     
     try:

utils/environment.py

@@ -80,7 +80,8 @@ def get_oauth_config() -> Optional[Dict[str, str]]:
         
     # Force HF-compatible scope for HF Spaces, ignore environment variable
     if is_huggingface_space():
-        scopes = "read-repos"  # Only use supported scope
+        # HF automatically includes 'openid profile', we specify additional scopes
+        scopes = "openid profile read-repos"
     else:
         scopes = os.getenv("OAUTH_SCOPES", "read-repos")