add

backend/app.py

@@ -53,20 +53,22 @@ app.add_middleware(
     allow_headers=["*"],
 )
 
-# Add conditional authentication middleware
-app.add_middleware(ConditionalAuthMiddleware)
-
-# Add usage tracking middleware (after auth, to track authenticated requests)
-app.add_middleware(UsageTrackingMiddleware)
-
-# Add session middleware (last, so it's innermost and processes requests first)
+# Add session middleware (second, so auth can read session data)
 session_secret = os.getenv("SESSION_SECRET_KEY") or secrets.token_urlsafe(32)
 app.add_middleware(
     SessionMiddleware, 
     secret_key=session_secret,
     max_age=86400,  # 24 hours
+    same_site="lax",  # Better for OAuth redirects
+    https_only=False,  # Will be True in production via reverse proxy
 )
 
+# Add conditional authentication middleware (after session)
+app.add_middleware(ConditionalAuthMiddleware)
+
+# Add usage tracking middleware (last, to track authenticated requests)
+app.add_middleware(UsageTrackingMiddleware)
+
 # Mount datasets directory for accessing json files
 app.mount("/data", StaticFiles(directory="datasets"), name="data")
 

utils/environment.py

@@ -78,8 +78,11 @@ def get_oauth_config() -> Optional[Dict[str, str]]:
     if not should_enable_auth():
         return None
         
-    # Get scopes with fallback to HF-compatible default
-    scopes = os.getenv("OAUTH_SCOPES", "read-repos")
+    # Force HF-compatible scope for HF Spaces, ignore environment variable
+    if is_huggingface_space():
+        scopes = "read-repos"  # Only use supported scope
+    else:
+        scopes = os.getenv("OAUTH_SCOPES", "read-repos")
     
     # Warn about unsupported scopes for HF Spaces
     if is_huggingface_space():