Security & HF Spaces fixes: Enable CSRF, auth middleware, persistent storage

- Re-enable CSRF state verification in OAuth callback (auth.py:165-177)
- Re-enable ConditionalAuthMiddleware in app.py
- Add /auth/oauth-callback to excluded paths in auth middleware
- Centralize DB_URI config to use /data persistent storage in HF Spaces
- Update database/__init__.py and init_db.py to use central config
- Add graceful error handling for /data directory creation

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

backend/app.py

@@ -90,8 +90,7 @@ else:
     )
 
 # Add conditional authentication middleware (after session)
-# TEMPORARILY DISABLED for debugging session issues
-# app.add_middleware(ConditionalAuthMiddleware)
+app.add_middleware(ConditionalAuthMiddleware)
 
 # Add usage tracking middleware (last, to track authenticated requests)
 app.add_middleware(UsageTrackingMiddleware)

backend/database/__init__.py

@@ -4,20 +4,14 @@ This package provides database access and utilities for agent monitoring.
 """
 
 import os
-from dotenv import load_dotenv
 from sqlalchemy import create_engine
 from sqlalchemy.ext.declarative import declarative_base
 from sqlalchemy.orm import sessionmaker, scoped_session
 
-# Load environment variables
-load_dotenv()
+# Import DB_URI from central config (handles HF Spaces vs local dev)
+from utils.config import DB_URI
 
-# Get the absolute path to the project root directory
-ROOT_DIR = os.path.dirname(os.path.dirname(os.path.dirname(os.path.abspath(__file__))))
-
-# Database URL - use DB_URI from env, fallback to default
-DEFAULT_DB_PATH = f"sqlite:///{os.path.join(ROOT_DIR, 'datasets/db/agent_monitoring.db')}"
-DATABASE_URL = os.getenv("DB_URI", DEFAULT_DB_PATH)
+DATABASE_URL = DB_URI
 
 # Create engine
 engine = create_engine(DATABASE_URL, connect_args={"check_same_thread": False})

backend/database/init_db.py

@@ -37,14 +37,15 @@ logger = logging.getLogger(__name__)
 # Get the absolute path to the project root directory
 ROOT_DIR = os.path.dirname(os.path.dirname(os.path.dirname(os.path.abspath(__file__))))
 
-# Database path - use DB_URI from env, fallback to default
-DEFAULT_DB_PATH = os.path.join(ROOT_DIR, 'datasets/db/agent_monitoring.db')
-DB_URI = os.getenv("DB_URI", f"sqlite:///{DEFAULT_DB_PATH}")
+# Import DB_URI from central config
+from utils.config import DB_URI
+
 # Extract path from sqlite URI
 if DB_URI.startswith("sqlite:///"):
     DB_PATH = DB_URI.replace("sqlite:///", "")
 else:
-    DB_PATH = DEFAULT_DB_PATH
+    # Fallback for non-sqlite databases
+    DB_PATH = os.path.join(ROOT_DIR, 'datasets/db/agent_monitoring.db')
 
 def confirm_reset():
     """Ask for user confirmation before force resetting the database."""
@@ -56,13 +57,23 @@ def confirm_reset():
 def init_database(reset=False, force=False):
     """
     Initialize the database with the required tables.
-    
+
     Args:
         reset: If True, drop and recreate the tables
         force: If True, delete the database file completely
     """
     # Make sure the directory exists
-    os.makedirs(os.path.dirname(DB_PATH), exist_ok=True)
+    db_dir = os.path.dirname(DB_PATH)
+    if db_dir:  # Only try to create if there's a directory path
+        try:
+            os.makedirs(db_dir, exist_ok=True)
+            logger.info(f"Database directory ensured at: {db_dir}")
+        except OSError as e:
+            logger.warning(f"Could not create database directory {db_dir}: {e}")
+            # In HF Spaces, /data might not be available until Persistent Storage is enabled
+            if "/data" in db_dir:
+                logger.warning("HF Spaces Persistent Storage may not be enabled. "
+                             "Database will be stored in ephemeral storage.")
     
     # Check if database exists
     db_exists = os.path.exists(DB_PATH) and os.path.getsize(DB_PATH) > 0

backend/middleware/auth.py

@@ -30,12 +30,13 @@ class ConditionalAuthMiddleware:
         # Paths that don't require authentication even in HF Spaces
         self.excluded_paths = excluded_paths or [
             "/docs",
-            "/redoc", 
+            "/redoc",
             "/openapi.json",
             "/api/observability/health-check",
             "/api/observability/environment",
             "/auth/login",
             "/auth/callback",
+            "/auth/oauth-callback",  # OAuth callback from HF
             "/auth/logout",
             "/auth/login-page",
             "/auth/status",

backend/routers/auth.py

@@ -163,13 +163,17 @@ async def handle_oauth_callback(request: Request, code: str, state: str):
         stored_state = None
         
     if not stored_state:
-        logger.warning(f"🚫 No stored OAuth state found - proceeding without state verification for debugging")
-        # Temporarily skip state verification for debugging
-        # raise HTTPException(status_code=400, detail="No stored state found")
+        logger.error("🚫 No stored OAuth state found - CSRF protection triggered")
+        raise HTTPException(
+            status_code=400,
+            detail="No stored state found. Your session may have expired. Please try logging in again."
+        )
     elif stored_state != state:
-        logger.error(f"🚫 OAuth state mismatch - stored: {stored_state}, received: {state}")
-        # Temporarily skip state verification for debugging  
-        # raise HTTPException(status_code=400, detail="State parameter mismatch")
+        logger.error(f"🚫 OAuth state mismatch - CSRF protection triggered")
+        raise HTTPException(
+            status_code=400,
+            detail="State parameter mismatch. Please try logging in again."
+        )
     else:
         logger.info("✅ OAuth state verification successful")
     

utils/config.py

@@ -53,7 +53,23 @@ if LANGFUSE_PUBLIC_KEY and LANGFUSE_SECRET_KEY:
 ANTHROPIC_API_KEY = os.getenv("ANTHROPIC_API_KEY")
 
 # Database Configuration
-DB_URI = os.getenv("DB_URI", "sqlite:///agent_monitoring.db")
+# For HF Spaces, use /data persistent storage directory
+# For local development, use datasets/db directory
+def _get_default_db_uri():
+    """Get default database URI based on environment."""
+    if os.getenv("SPACE_ID"):  # HF Spaces
+        # Use HF Persistent Storage at /data
+        # Note: /data directory is created by HF when Persistent Storage is enabled
+        # The directory creation is attempted at database init time, not config load time
+        return "sqlite:////data/agent_monitoring.db"
+    else:
+        # Local development - use datasets/db relative to project root
+        project_root = Path(__file__).parent.parent.resolve()
+        db_dir = project_root / "datasets" / "db"
+        os.makedirs(db_dir, exist_ok=True)
+        return f"sqlite:///{db_dir}/agent_monitoring.db"
+
+DB_URI = os.getenv("DB_URI", _get_default_db_uri())
 
 # Function to validate configuration
 def validate_config():