ui and stuff

public/app.js

@@ -2490,6 +2490,9 @@
     state.pagePayload = payload;
     document.title = routeTitle(payload.page);
     updateActiveNav();
+    root.dataset.pageKind = payload.page?.kind || "";
+    root.dataset.pageTab = payload.page?.tab || "";
+    root.dataset.resourceType = payload.page?.resourceType || "";
     root.innerHTML = renderPage(payload.page);
     root.setAttribute("aria-busy", "false");
     attachPageEffects(payload.page);

public/styles.css

@@ -1175,3 +1175,890 @@ button {
     padding: 16px 18px 0;
   }
 }
+
+/* Professional workspace relayout */
+
+:root {
+  --bg: #e7edf2;
+  --surface: #ffffff;
+  --surface-muted: #f2f5f8;
+  --surface-soft: #f8fafc;
+  --ink: #111827;
+  --muted: #556273;
+  --line: #c7d1dc;
+  --line-strong: #9ba9b8;
+  --accent: #a96d08;
+  --accent-soft: #f5e4c1;
+  --success: #0f6d48;
+  --warning: #915e06;
+  --danger: #aa3c2b;
+  --blue: #2457a6;
+  --shadow: 0 16px 38px rgba(17, 24, 39, 0.06);
+  --radius-xl: 6px;
+  --radius-lg: 5px;
+  --radius-md: 4px;
+  --radius-sm: 3px;
+}
+
+html,
+body {
+  font-family: "Aptos", "Segoe UI Variable Text", "Segoe UI", "Helvetica Neue", sans-serif;
+  background:
+    linear-gradient(180deg, rgba(255, 255, 255, 0.8), rgba(255, 255, 255, 0.8)),
+    linear-gradient(rgba(17, 24, 39, 0.03) 1px, transparent 1px),
+    linear-gradient(90deg, rgba(17, 24, 39, 0.03) 1px, transparent 1px),
+    var(--bg);
+  background-size: auto, 32px 32px, 32px 32px, auto;
+}
+
+body {
+  letter-spacing: 0.01em;
+}
+
+a:focus-visible,
+button:focus-visible,
+input:focus-visible,
+select:focus-visible,
+textarea:focus-visible {
+  outline: 2px solid rgba(36, 87, 166, 0.42);
+  outline-offset: 2px;
+}
+
+.mono,
+.stream-output,
+.file-editor,
+.file-content {
+  font-family: "Cascadia Mono", "IBM Plex Mono", "SFMono-Regular", Consolas, monospace;
+}
+
+.login-panel,
+.panel,
+.hero-panel,
+.content-section,
+.page-header,
+.loading-panel {
+  border-radius: var(--radius-md);
+  border-color: var(--line-strong);
+  background: linear-gradient(180deg, rgba(255, 255, 255, 0.98), rgba(249, 251, 252, 0.96));
+  box-shadow: var(--shadow);
+}
+
+.login-shell {
+  width: min(860px, 100%);
+}
+
+.login-panel {
+  display: grid;
+  gap: 18px;
+  padding: 36px;
+  border-top: 5px solid var(--ink);
+}
+
+.login-copy h1 {
+  font-size: clamp(30px, 4vw, 48px);
+  max-width: 15ch;
+}
+
+.eyebrow {
+  color: var(--blue);
+  font-size: 11px;
+  letter-spacing: 0.14em;
+}
+
+.page-shell[data-page-kind="space"] .eyebrow,
+.page-shell[data-page-kind="model"] .eyebrow,
+.page-shell[data-page-kind="dataset"] .eyebrow,
+.page-shell[data-page-kind="bucket"] .eyebrow {
+  color: var(--accent);
+}
+
+.login-form input,
+.search-input,
+.branch-select,
+.file-editor,
+.text-input,
+.form-textarea {
+  border-color: var(--line-strong);
+  border-radius: var(--radius-md);
+  background: #fff;
+}
+
+.primary-button,
+.secondary-button,
+.danger-button,
+.ghost-button,
+.menu-button,
+.menu-link,
+.user-trigger {
+  min-height: 44px;
+  border-radius: var(--radius-md);
+  font-weight: 600;
+}
+
+.primary-button {
+  background: #18212d;
+}
+
+.primary-button:hover,
+.user-trigger:hover {
+  background: #223041;
+}
+
+.secondary-button,
+.danger-button,
+.ghost-button,
+.menu-button,
+.menu-link,
+.user-trigger {
+  border-color: var(--line-strong);
+  background: #fff;
+}
+
+.danger-button {
+  background: #fff2f0;
+  border-color: #e7b4aa;
+  color: #a83d2d;
+}
+
+.create-type-button.is-active {
+  background: #18212d;
+  border-color: #18212d;
+}
+
+.app-body {
+  padding: 18px;
+}
+
+.app-shell {
+  width: min(1500px, 100%);
+}
+
+.topbar {
+  top: 18px;
+  display: grid;
+  grid-template-columns: minmax(0, 1fr) auto;
+  gap: 16px;
+  padding: 14px 18px;
+  border-radius: var(--radius-md);
+  border: 1px solid var(--line-strong);
+  background: rgba(253, 254, 255, 0.98);
+  backdrop-filter: none;
+}
+
+.brand-row {
+  display: grid;
+  grid-template-columns: auto minmax(0, 1fr);
+  gap: 18px;
+  align-items: center;
+}
+
+.brand-text-lockup {
+  font-size: 14px;
+  font-weight: 800;
+  letter-spacing: 0.12em;
+  text-transform: uppercase;
+}
+
+.nav-links {
+  gap: 0;
+  flex-wrap: nowrap;
+  overflow: auto;
+  border: 1px solid var(--line);
+  background: #edf2f7;
+}
+
+.nav-links a {
+  min-height: 40px;
+  padding: 0 16px;
+  border-right: 1px solid var(--line);
+  border-radius: 0;
+  color: var(--muted);
+  font-size: 14px;
+  font-weight: 700;
+  white-space: nowrap;
+}
+
+.nav-links a:last-child {
+  border-right: 0;
+}
+
+.nav-links a:hover,
+.nav-links a.is-active {
+  background: #fff;
+  color: var(--ink);
+  box-shadow: inset 0 -2px 0 var(--accent);
+}
+
+.toolbar {
+  justify-self: end;
+  gap: 12px;
+}
+
+.search-shell {
+  width: min(34vw, 420px);
+}
+
+.search-results,
+.user-popover {
+  border-radius: var(--radius-md);
+  border-color: var(--line-strong);
+  box-shadow: var(--shadow);
+}
+
+.search-result-row,
+.menu-link,
+.menu-button {
+  border-radius: var(--radius-md);
+}
+
+.flash-stack {
+  top: 88px;
+}
+
+.flash-message {
+  border-radius: var(--radius-md);
+}
+
+.page-shell {
+  margin-top: 16px;
+  gap: 16px;
+}
+
+.hero-panel,
+.content-section,
+.page-header,
+.panel,
+.loading-panel {
+  padding: 22px 24px;
+}
+
+.page-header {
+  align-items: end;
+  border-left: 4px solid var(--ink);
+}
+
+.page-shell[data-page-kind="settings"] .page-header,
+.page-shell[data-page-kind="collection"] .page-header {
+  border-left-color: var(--blue);
+}
+
+.page-shell[data-page-kind="space"] .page-header,
+.page-shell[data-page-kind="model"] .page-header,
+.page-shell[data-page-kind="dataset"] .page-header,
+.page-shell[data-page-kind="bucket"] .page-header {
+  border-left-color: var(--accent);
+}
+
+.hero-panel {
+  grid-template-columns: minmax(0, 1.35fr) minmax(320px, 0.95fr);
+  gap: 18px;
+  align-items: stretch;
+  border-top: 4px solid var(--accent);
+}
+
+.page-header h1,
+.hero-copy h1,
+.section-head h2,
+.panel-head h2 {
+  letter-spacing: -0.02em;
+}
+
+.hero-copy p,
+.page-subtitle,
+.body-copy,
+.plain-list {
+  max-width: 72ch;
+}
+
+.meta-badge {
+  min-height: 28px;
+  padding: 0 10px;
+  border-radius: 2px;
+  font-size: 11px;
+  font-weight: 700;
+  letter-spacing: 0.08em;
+  text-transform: uppercase;
+  background: #f6f8fa;
+}
+
+.meta-badge.accent {
+  border-color: #e6c78e;
+}
+
+.button-row,
+.meta-badge-row {
+  gap: 8px;
+}
+
+.content-grid {
+  display: grid;
+  grid-template-columns: repeat(12, minmax(0, 1fr));
+  gap: 16px;
+}
+
+.content-grid > * {
+  min-width: 0;
+  grid-column: 1 / -1;
+}
+
+.content-grid.two-up > * {
+  grid-column: span 6;
+}
+
+.content-grid.two-up > :only-child,
+.full-span {
+  grid-column: 1 / -1;
+}
+
+.files-grid > article {
+  grid-column: span 8;
+}
+
+.files-grid > aside {
+  grid-column: span 4;
+}
+
+.stats-grid {
+  display: grid;
+  grid-template-columns: repeat(2, minmax(0, 1fr));
+  gap: 12px;
+  width: 100%;
+}
+
+.stats-grid.compact {
+  margin-top: 16px;
+}
+
+.stat-card {
+  min-height: 0;
+  padding: 16px;
+  border-radius: var(--radius-md);
+  background: #fff;
+  border: 1px solid var(--line);
+  border-top: 3px solid var(--ink);
+}
+
+.stat-card:nth-child(2n) {
+  border-top-color: var(--blue);
+}
+
+.stat-card:nth-child(3n) {
+  border-top-color: var(--accent);
+}
+
+.stat-label {
+  font-size: 11px;
+  font-weight: 700;
+  letter-spacing: 0.08em;
+  text-transform: uppercase;
+}
+
+.stat-value {
+  margin-top: 10px;
+  font-size: clamp(24px, 3vw, 34px);
+  line-height: 1.1;
+}
+
+.page-shell[data-page-kind="space"][data-page-tab="app"] .stat-value,
+.page-shell[data-page-kind="space"][data-page-tab="settings"] .stat-value {
+  font-size: clamp(18px, 2vw, 26px);
+}
+
+.section-head,
+.panel-head {
+  margin-bottom: 16px;
+  padding-bottom: 12px;
+  border-bottom: 1px solid var(--line);
+}
+
+.panel-head.between {
+  align-items: end;
+}
+
+.section-head a {
+  font-size: 12px;
+  font-weight: 700;
+  letter-spacing: 0.08em;
+  text-transform: uppercase;
+}
+
+.resource-list,
+.activity-list,
+.mini-grid,
+.plain-list,
+.detail-list,
+.file-entry-list,
+.badge-grid,
+.settings-link-list,
+.settings-item-list {
+  gap: 10px;
+}
+
+.page-shell[data-page-kind="dashboard"] .resource-list,
+.page-shell[data-page-kind="collection"] .resource-list {
+  grid-template-columns: repeat(2, minmax(0, 1fr));
+}
+
+.resource-row,
+.mini-card,
+.activity-item,
+.file-entry-row,
+.settings-link-row,
+.settings-item-card {
+  border-radius: var(--radius-md);
+  background: #fff;
+  border-color: var(--line);
+  box-shadow: none;
+}
+
+.resource-row,
+.file-entry-row {
+  display: grid;
+  grid-template-columns: minmax(0, 1fr) auto;
+  align-items: start;
+  min-height: 0;
+  padding: 16px 18px;
+}
+
+.resource-row:hover,
+.file-entry-row:hover,
+.settings-link-row:hover,
+.external-row:hover {
+  background: #fff;
+  border-color: var(--line-strong);
+  box-shadow: inset 0 0 0 1px var(--line-strong);
+}
+
+.resource-row-title,
+.file-entry-title,
+.activity-item-title {
+  font-size: 17px;
+}
+
+.resource-row-subtitle,
+.file-entry-meta,
+.resource-row-meta,
+.activity-item-meta,
+.mini-card-subtitle,
+.search-result-meta,
+.settings-item-meta,
+.settings-link-arrow,
+.resource-row-updated {
+  font-size: 13px;
+}
+
+.resource-row-side,
+.file-entry-side,
+.resource-row-updated,
+.settings-link-arrow {
+  color: var(--muted);
+  font-weight: 700;
+  letter-spacing: 0.08em;
+  text-transform: uppercase;
+}
+
+.activity-item,
+.settings-link-row {
+  min-height: 0;
+  padding: 16px 18px;
+}
+
+.settings-link-row {
+  align-items: start;
+}
+
+.mini-card {
+  min-height: 0;
+  padding: 16px 18px;
+}
+
+.mini-grid {
+  grid-template-columns: repeat(auto-fit, minmax(220px, 1fr));
+}
+
+.badge-grid {
+  grid-template-columns: repeat(auto-fit, minmax(120px, 1fr));
+}
+
+.page-header,
+.hero-panel,
+.content-section {
+  overflow: hidden;
+}
+
+.section-tabs {
+  gap: 0;
+  flex-wrap: nowrap;
+  overflow: auto;
+  margin-top: -2px;
+  padding: 0;
+  border: 1px solid var(--line-strong);
+  border-radius: var(--radius-md);
+  background: #edf2f7;
+}
+
+.section-tabs a {
+  min-height: 42px;
+  padding: 0 16px;
+  border: 0;
+  border-right: 1px solid var(--line);
+  border-radius: 0;
+  background: transparent;
+  color: var(--muted);
+  font-weight: 700;
+  white-space: nowrap;
+}
+
+.section-tabs a:last-child {
+  border-right: 0;
+}
+
+.section-tabs a.is-active {
+  background: #fff;
+  color: var(--ink);
+  border-color: transparent;
+  box-shadow: inset 0 -2px 0 var(--accent);
+}
+
+.inline-notice,
+.empty-state,
+.error-banner {
+  border-radius: var(--radius-md);
+  border-left: 4px solid var(--line-strong);
+  background: #f4f7fa;
+}
+
+.inline-notice.tone-warning {
+  border-left-color: #d5a44d;
+}
+
+.error-banner {
+  border-left-color: #d65a4c;
+}
+
+.detail-list div {
+  display: grid;
+  grid-template-columns: minmax(120px, 180px) minmax(0, 1fr);
+  align-items: start;
+}
+
+.detail-list dd {
+  justify-self: end;
+  text-align: right;
+}
+
+.plain-list li + li {
+  margin-top: 10px;
+}
+
+.settings-item-card {
+  padding: 16px 18px;
+}
+
+.settings-item-value {
+  margin-top: 12px;
+  padding-top: 12px;
+  border-top: 1px solid var(--line);
+}
+
+.field-grid.two-col,
+.settings-split-grid {
+  gap: 12px;
+}
+
+.danger-panel {
+  border-left: 4px solid #d65a4c;
+  border-top: 0;
+}
+
+.files-layout {
+  display: grid;
+  grid-template-columns: minmax(260px, 320px) minmax(0, 1fr);
+  gap: 16px;
+  margin-top: 16px;
+}
+
+.files-column {
+  min-width: 0;
+}
+
+.breadcrumbs {
+  margin-top: 16px;
+  padding: 10px 12px;
+  border: 1px solid var(--line);
+  border-radius: var(--radius-md);
+  background: #f6f8fa;
+}
+
+.breadcrumb-divider {
+  color: var(--line-strong);
+}
+
+.file-preview-wrap {
+  gap: 12px;
+}
+
+.editor-meta {
+  padding: 10px 12px;
+  border: 1px solid var(--line);
+  border-radius: var(--radius-md);
+  background: #f6f8fa;
+}
+
+.file-editor {
+  min-height: 360px;
+}
+
+.file-content {
+  min-height: 360px;
+  padding: 18px;
+  border-radius: var(--radius-md);
+  border: 1px solid var(--line-strong);
+  background: #fff;
+}
+
+.console-panel {
+  border-top: 4px solid #26374e;
+  padding-bottom: 0;
+}
+
+.stream-toolbar {
+  display: grid;
+  grid-template-columns: minmax(0, 1fr) auto;
+  gap: 12px;
+  align-items: center;
+  margin-top: 16px;
+  padding: 14px 0 16px;
+}
+
+.stream-tab-row {
+  display: grid;
+  grid-template-columns: repeat(4, minmax(0, 1fr));
+  gap: 0;
+  overflow: hidden;
+  border: 1px solid #32455c;
+  background: #142031;
+}
+
+.stream-tab-button {
+  min-height: 44px;
+  padding: 0 16px;
+  border: 0;
+  border-right: 1px solid #32455c;
+  border-radius: 0;
+  background: transparent;
+  color: #d8e1ec;
+  justify-content: flex-start;
+  font-size: 12px;
+  font-weight: 700;
+  letter-spacing: 0.08em;
+  text-transform: uppercase;
+}
+
+.stream-tab-button:last-child {
+  border-right: 0;
+}
+
+.stream-tab-button:hover {
+  background: #1b2940;
+  color: #fff;
+}
+
+.stream-tab-button.is-active {
+  background: #21324b;
+  border-color: #32455c;
+  color: #fff;
+  box-shadow: inset 0 -2px 0 var(--accent);
+}
+
+.stream-caption,
+.stream-panel-copy {
+  font-size: 12px;
+  letter-spacing: 0.04em;
+}
+
+.stream-caption {
+  white-space: nowrap;
+}
+
+.stream-tab-panels {
+  margin: 0 -24px;
+  background: #0b1220;
+}
+
+.stream-panel-meta {
+  display: grid;
+  grid-template-columns: auto minmax(0, 1fr);
+  gap: 10px 16px;
+  align-items: end;
+  padding: 16px 24px 12px;
+  color: #d8e2f0;
+  border-bottom: 1px solid #223043;
+}
+
+.stream-panel-title {
+  color: #f8fbff;
+  font-size: 12px;
+  font-weight: 700;
+  letter-spacing: 0.1em;
+  text-transform: uppercase;
+}
+
+.stream-panel-copy {
+  justify-self: end;
+  color: #98aac0;
+  text-align: right;
+}
+
+.stream-output {
+  min-height: 420px;
+  padding: 18px 24px 24px 70px;
+  background:
+    linear-gradient(
+      90deg,
+      rgba(148, 163, 184, 0.08) 0,
+      rgba(148, 163, 184, 0.08) 48px,
+      rgba(61, 81, 109, 0.9) 48px,
+      rgba(61, 81, 109, 0.9) 49px,
+      transparent 49px
+    ),
+    repeating-linear-gradient(
+      180deg,
+      rgba(148, 163, 184, 0.08) 0,
+      rgba(148, 163, 184, 0.08) 1px,
+      transparent 1px,
+      transparent 24px
+    ),
+    linear-gradient(180deg, #0d1522, #0a111b);
+  color: #d8e2f0;
+  font-size: 13px;
+  line-height: 1.55;
+  tab-size: 2;
+}
+
+.page-shell[data-page-tab="files"] .activity-list,
+.page-shell[data-page-tab="community"] .activity-list {
+  align-content: start;
+}
+
+@media (max-width: 1200px) {
+  .topbar {
+    grid-template-columns: 1fr;
+  }
+
+  .toolbar {
+    justify-self: stretch;
+  }
+
+  .search-shell {
+    width: 100%;
+  }
+
+  .content-grid.two-up > * {
+    grid-column: 1 / -1;
+  }
+
+  .files-grid > article,
+  .files-grid > aside {
+    grid-column: 1 / -1;
+  }
+
+  .page-shell[data-page-kind="dashboard"] .resource-list,
+  .page-shell[data-page-kind="collection"] .resource-list {
+    grid-template-columns: 1fr;
+  }
+}
+
+@media (max-width: 980px) {
+  .hero-panel,
+  .files-layout {
+    grid-template-columns: 1fr;
+  }
+
+  .stream-toolbar {
+    grid-template-columns: 1fr;
+  }
+
+  .stream-caption {
+    white-space: normal;
+  }
+
+  .stream-panel-copy {
+    justify-self: start;
+    text-align: left;
+  }
+}
+
+@media (max-width: 720px) {
+  .app-body {
+    padding: 12px;
+  }
+
+  .topbar,
+  .login-panel,
+  .hero-panel,
+  .page-header,
+  .content-section,
+  .panel,
+  .loading-panel {
+    padding: 18px;
+  }
+
+  .brand-row {
+    grid-template-columns: 1fr;
+  }
+
+  .nav-links {
+    flex-wrap: wrap;
+  }
+
+  .nav-links a {
+    border-right: 0;
+    border-bottom: 1px solid var(--line);
+  }
+
+  .section-tabs {
+    flex-wrap: wrap;
+  }
+
+  .section-tabs a {
+    flex: 1 1 48%;
+    border-right: 0;
+    border-bottom: 1px solid var(--line);
+  }
+
+  .stats-grid,
+  .mini-grid,
+  .badge-grid,
+  .page-shell[data-page-kind="dashboard"] .resource-list,
+  .page-shell[data-page-kind="collection"] .resource-list {
+    grid-template-columns: 1fr;
+  }
+
+  .stream-tab-row {
+    grid-template-columns: repeat(2, minmax(0, 1fr));
+  }
+
+  .stream-tab-panels {
+    margin: 0 -18px;
+  }
+
+  .stream-panel-meta {
+    grid-template-columns: 1fr;
+    padding: 14px 18px 10px;
+  }
+
+  .stream-output {
+    min-height: 320px;
+    padding: 16px 18px 20px 60px;
+  }
+
+  .detail-list div {
+    grid-template-columns: 1fr;
+  }
+
+  .detail-list dd {
+    justify-self: start;
+    text-align: left;
+  }
+}

server.js

@@ -106,6 +106,46 @@ function shouldUseSecureCookies() {
   return process.env.NODE_ENV === "production" || process.env.COOKIE_SECURE === "true";
 }
 
+function getExpectedOrigin(req) {
+  const forwardedProto = String(req.headers["x-forwarded-proto"] || "")
+    .split(",")[0]
+    .trim()
+    .toLowerCase();
+  const protocol = forwardedProto || (req.socket.encrypted ? "https" : "http");
+  const host = String(req.headers.host || "").trim();
+  return host ? `${protocol}://${host}` : "";
+}
+
+function matchesTrustedOrigin(req) {
+  const expectedOrigin = getExpectedOrigin(req);
+  if (!expectedOrigin) {
+    return false;
+  }
+
+  const origin = String(req.headers.origin || "").trim();
+  if (origin) {
+    return origin === expectedOrigin;
+  }
+
+  const referer = String(req.headers.referer || "").trim();
+  if (referer) {
+    try {
+      return new URL(referer).origin === expectedOrigin;
+    } catch (error) {
+      return false;
+    }
+  }
+
+  const fetchSite = String(req.headers["sec-fetch-site"] || "")
+    .trim()
+    .toLowerCase();
+  if (fetchSite) {
+    return fetchSite === "same-origin" || fetchSite === "same-site" || fetchSite === "none";
+  }
+
+  return false;
+}
+
 function redirect(res, location) {
   res.writeHead(302, {
     ...SECURITY_HEADERS,
@@ -302,6 +342,17 @@ async function handleAuthFailure(res, session) {
 }
 
 async function handleLogin(req, res) {
+  if (!matchesTrustedOrigin(req)) {
+    sendHtml(
+      res,
+      403,
+      renderLoginPage({
+        loginError: "That sign-in attempt was blocked because the request origin did not match this workspace.",
+      }),
+    );
+    return;
+  }
+
   const rawBody = await readBody(req);
   const form = parseFormBody(rawBody);
   const accessToken = (form.accessToken || "").trim();

test/auth-flow.test.js

@@ -182,10 +182,28 @@ async function run() {
     const appAddress = appServer.address();
     const baseUrl = `http://127.0.0.1:${appAddress.port}`;
 
+    const blockedLoginResponse = await fetch(`${baseUrl}/auth/login`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+        Origin: "http://evil.example",
+      },
+      body: new URLSearchParams({
+        accessToken: "hf_test_token",
+      }),
+      redirect: "manual",
+    });
+
+    const blockedHtml = await blockedLoginResponse.text();
+    assert.equal(blockedLoginResponse.status, 403);
+    assert.equal(blockedLoginResponse.headers.get("set-cookie"), null);
+    assert.match(blockedHtml, /request origin did not match/i);
+
     const loginResponse = await fetch(`${baseUrl}/auth/login`, {
       method: "POST",
       headers: {
         "Content-Type": "application/x-www-form-urlencoded",
+        Origin: baseUrl,
       },
       body: new URLSearchParams({
         accessToken: "hf_test_token",

test/bucket-pages.test.js

@@ -152,6 +152,7 @@ async function login(baseUrl) {
     method: "POST",
     headers: {
       "Content-Type": "application/x-www-form-urlencoded",
+      Origin: baseUrl,
     },
     body: new URLSearchParams({
       accessToken: "hf_test_token",

test/resource-mutations.test.js

@@ -115,6 +115,7 @@ async function loginAndGetSession(baseUrl) {
     method: "POST",
     headers: {
       "Content-Type": "application/x-www-form-urlencoded",
+      Origin: baseUrl,
     },
     body: new URLSearchParams({
       accessToken: "hf_test_token",

test/space-settings.test.js

@@ -138,6 +138,7 @@ async function login(baseUrl) {
     method: "POST",
     headers: {
       "Content-Type": "application/x-www-form-urlencoded",
+      Origin: baseUrl,
     },
     body: new URLSearchParams({
       accessToken: "hf_test_token",