Spaces:

mishig
/

chat-ui

Running on CPU Upgrade

victor HF Staff commited on Nov 12, 2025

Commit

cb738c8

1 Parent(s): 86a2299

mcp: switch HF MCP login to https://hf.co/mcp?login and accept hf.co in strict checks

- Update examples and Helm envs to use hf.co endpoint
- Relax isStrictHfMcpLogin to allow both hf.co and huggingface.co
- Keeps functionality identical while preferring the shorter domain

Files changed (6) hide show

.env +1 -1
README.md +1 -1
chart/env/dev.yaml +1 -1
chart/env/prod.yaml +1 -1
src/lib/server/mcp/hf.ts +13 -11
src/lib/utils/hf.ts +13 -11

.env CHANGED Viewed

@@ -119,7 +119,7 @@ LLM_SUMMARIZATION=true # generate conversation titles with LLMs
 ALLOW_IFRAME=true # Allow the app to be embedded in an iframe
-# Base servers list (JSON array). Example: MCP_SERVERS=[{"name": "Web Search (Exa)", "url": "https://mcp.exa.ai/mcp"}, {"name": "Hugging Face", "url": "https://huggingface.co/mcp"}]
 MCP_SERVERS=
 # When true, forward the logged-in user's Hugging Face access token
 MCP_FORWARD_HF_USER_TOKEN=

 ALLOW_IFRAME=true # Allow the app to be embedded in an iframe
+# Base servers list (JSON array). Example: MCP_SERVERS=[{"name": "Web Search (Exa)", "url": "https://mcp.exa.ai/mcp"}, {"name": "Hugging Face", "url": "https://hf.co/mcp"}]
 MCP_SERVERS=
 # When true, forward the logged-in user's Hugging Face access token
 MCP_FORWARD_HF_USER_TOKEN=

README.md CHANGED Viewed

@@ -157,7 +157,7 @@ Configure servers (base list for all users):
 # JSON array of servers: name, url, optional headers
 MCP_SERVERS=[
   {"name": "Web Search (Exa)", "url": "https://mcp.exa.ai/mcp"},
-  {"name": "Hugging Face MCP Login", "url": "https://huggingface.co/mcp?login"}
 ]
 # Forward the signed-in user's Hugging Face token to the official HF MCP login endpoint

 # JSON array of servers: name, url, optional headers
 MCP_SERVERS=[
   {"name": "Web Search (Exa)", "url": "https://mcp.exa.ai/mcp"},
+  {"name": "Hugging Face MCP Login", "url": "https://hf.co/mcp?login"}
 ]
 # Forward the signed-in user's Hugging Face token to the official HF MCP login endpoint

chart/env/dev.yaml CHANGED Viewed

@@ -71,7 +71,7 @@ envVars:
   LLM_ROUTER_ENABLE_TOOLS: "true"
   LLM_ROUTER_TOOLS_MODEL: "moonshotai/Kimi-K2-Instruct-0905"
   MCP_SERVERS: >
-    [{"name": "Web Search (Exa)", "url": "https://mcp.exa.ai/mcp"}, {"name": "Hugging Face", "url": "https://huggingface.co/mcp?login"}]
   PUBLIC_LLM_ROUTER_DISPLAY_NAME: "Omni"
   PUBLIC_LLM_ROUTER_LOGO_URL: "https://cdn-uploads.huggingface.co/production/uploads/5f17f0a0925b9863e28ad517/C5V0v1xZXv6M7FXsdJH9b.png"
   PUBLIC_LLM_ROUTER_ALIAS_ID: "omni"

   LLM_ROUTER_ENABLE_TOOLS: "true"
   LLM_ROUTER_TOOLS_MODEL: "moonshotai/Kimi-K2-Instruct-0905"
   MCP_SERVERS: >
+    [{"name": "Web Search (Exa)", "url": "https://mcp.exa.ai/mcp"}, {"name": "Hugging Face", "url": "https://hf.co/mcp?login"}]
   PUBLIC_LLM_ROUTER_DISPLAY_NAME: "Omni"
   PUBLIC_LLM_ROUTER_LOGO_URL: "https://cdn-uploads.huggingface.co/production/uploads/5f17f0a0925b9863e28ad517/C5V0v1xZXv6M7FXsdJH9b.png"
   PUBLIC_LLM_ROUTER_ALIAS_ID: "omni"

chart/env/prod.yaml CHANGED Viewed

@@ -81,7 +81,7 @@ envVars:
   LLM_ROUTER_ENABLE_TOOLS: "true"
   LLM_ROUTER_TOOLS_MODEL: "moonshotai/Kimi-K2-Instruct-0905"
   MCP_SERVERS: >
-    [{"name": "Web Search (Exa)", "url": "https://mcp.exa.ai/mcp"}, {"name": "Hugging Face", "url": "https://huggingface.co/mcp?login"}]
   PUBLIC_LLM_ROUTER_DISPLAY_NAME: "Omni"
   PUBLIC_LLM_ROUTER_LOGO_URL: "https://cdn-uploads.huggingface.co/production/uploads/5f17f0a0925b9863e28ad517/C5V0v1xZXv6M7FXsdJH9b.png"
   PUBLIC_LLM_ROUTER_ALIAS_ID: "omni"

   LLM_ROUTER_ENABLE_TOOLS: "true"
   LLM_ROUTER_TOOLS_MODEL: "moonshotai/Kimi-K2-Instruct-0905"
   MCP_SERVERS: >
+    [{"name": "Web Search (Exa)", "url": "https://mcp.exa.ai/mcp"}, {"name": "Hugging Face", "url": "https://hf.co/mcp?login"}]
   PUBLIC_LLM_ROUTER_DISPLAY_NAME: "Omni"
   PUBLIC_LLM_ROUTER_LOGO_URL: "https://cdn-uploads.huggingface.co/production/uploads/5f17f0a0925b9863e28ad517/C5V0v1xZXv6M7FXsdJH9b.png"
   PUBLIC_LLM_ROUTER_ALIAS_ID: "omni"

src/lib/server/mcp/hf.ts CHANGED Viewed

@@ -4,17 +4,19 @@ export const hasAuthHeader = (h?: Record<string, string>) =>
 	!!h && Object.keys(h).some((k) => k.toLowerCase() === "authorization");
 export const isStrictHfMcpLogin = (urlString: string) => {
-	try {
-		const u = new URL(urlString);
-		return (
-			u.protocol === "https:" &&
-			u.hostname === "huggingface.co" &&
-			u.pathname === "/mcp" &&
-			u.search === "?login"
-		);
-	} catch {
-		return false;
-	}
 };
 export const hasNonEmptyToken = (tok: unknown): tok is string =>

 	!!h && Object.keys(h).some((k) => k.toLowerCase() === "authorization");
 export const isStrictHfMcpLogin = (urlString: string) => {
+    try {
+        const u = new URL(urlString);
+        const host = u.hostname.toLowerCase();
+        const allowedHosts = new Set(["hf.co", "huggingface.co"]);
+        return (
+            u.protocol === "https:" &&
+            allowedHosts.has(host) &&
+            u.pathname === "/mcp" &&
+            u.search === "?login"
+        );
+    } catch {
+        return false;
+    }
 };
 export const hasNonEmptyToken = (tok: unknown): tok is string =>

src/lib/utils/hf.ts CHANGED Viewed

@@ -1,15 +1,17 @@
 // Client-safe HF utilities used in UI components
 export function isStrictHfMcpLogin(urlString: string): boolean {
-	try {
-		const u = new URL(urlString);
-		return (
-			u.protocol === "https:" &&
-			u.hostname === "huggingface.co" &&
-			u.pathname === "/mcp" &&
-			u.search === "?login"
-		);
-	} catch {
-		return false;
-	}
 }

 // Client-safe HF utilities used in UI components
 export function isStrictHfMcpLogin(urlString: string): boolean {
+    try {
+        const u = new URL(urlString);
+        const host = u.hostname.toLowerCase();
+        const allowedHosts = new Set(["hf.co", "huggingface.co"]);
+        return (
+            u.protocol === "https:" &&
+            allowedHosts.has(host) &&
+            u.pathname === "/mcp" &&
+            u.search === "?login"
+        );
+    } catch {
+        return false;
+    }
 }