Deploy 2026-01-28 11:09:31

src/flow/ui/auth/router.py

@@ -162,14 +162,20 @@ async def github_oauth_start(
     # Generate state token for CSRF protection
     state = secrets.token_urlsafe(32)
 
+    # Get base URL, respecting X-Forwarded-Proto header for reverse proxies (HF Spaces, etc.)
+    base_url = str(request.base_url).rstrip("/")
+    forwarded_proto = request.headers.get("x-forwarded-proto")
+    if forwarded_proto == "https" and base_url.startswith("http://"):
+        base_url = "https://" + base_url[7:]
+
     # Store the redirect URI with the state (where to send user after auth)
-    callback_uri = redirect_uri or str(request.base_url).rstrip("/")
+    callback_uri = redirect_uri or base_url
     _oauth_states[state] = callback_uri
 
     # Build GitHub authorization URL
     params = {
         "client_id": settings.github_client_id,
-        "redirect_uri": f"{str(request.base_url).rstrip('/')}/api/auth/github/callback",
+        "redirect_uri": f"{base_url}/api/auth/github/callback",
         "scope": "read:user",
         "state": state,
     }

src/flow/ui/ui/index.html

@@ -8,7 +8,7 @@
     <link rel="preconnect" href="https://fonts.googleapis.com">
     <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
     <link href="https://fonts.googleapis.com/css2?family=JetBrains+Mono:wght@400;500;600;700&display=swap" rel="stylesheet">
-    <script type="module" crossorigin src="/assets/index-2zMAgGgo.js"></script>
+    <script type="module" crossorigin src="/assets/index-BU8a-zoU.js"></script>
     <link rel="stylesheet" crossorigin href="/assets/index-BHAF8mLj.css">
   </head>
   <body>