Create proxy.py

proxy.py

@@ -0,0 +1,107 @@
+import os
+import base64
+import secrets
+import httpx
+from fastapi import FastAPI, Request, HTTPException
+from fastapi.responses import RedirectResponse, Response
+from urllib.parse import quote
+
+app = FastAPI()
+LT_INTERNAL = "http://127.0.0.1:5000"
+
+CLIENT_ID     = os.environ.get("OAUTH_CLIENT_ID")
+CLIENT_SECRET = os.environ.get("OAUTH_CLIENT_SECRET")
+SPACE_HOST    = os.environ.get("SPACE_HOST", "localhost")
+REDIRECT_URI  = f"https://{SPACE_HOST}/auth/callback"
+
+# In-memory session store (fine for a single-container Space)
+sessions: dict[str, dict] = {}
+
+# ── OAuth login ─────────────────────────────────────────────
+@app.get("/auth/login")
+async def auth_login():
+    state = secrets.token_urlsafe(32)
+    scope = quote("openid profile")
+    url = (
+        f"https://huggingface.co/oauth/authorize"
+        f"?client_id={CLIENT_ID}"
+        f"&redirect_uri={quote(REDIRECT_URI)}"
+        f"&response_type=code"
+        f"&scope={scope}"
+        f"&state={state}"
+    )
+    resp = RedirectResponse(url)
+    resp.set_cookie("oauth_state", state, max_age=600, httponly=True, samesite="lax")
+    return resp
+
+# ── OAuth callback ──────────────────────────────────────────
+@app.get("/auth/callback")
+async def auth_callback(code: str, state: str):
+    # NOTE: In production, verify that `state` matches the cookie.
+    basic = base64.b64encode(f"{CLIENT_ID}:{CLIENT_SECRET}".encode()).decode()
+    async with httpx.AsyncClient() as client:
+        r = await client.post(
+            "https://huggingface.co/oauth/token",
+            data={
+                "grant_type": "authorization_code",
+                "code": code,
+                "redirect_uri": REDIRECT_URI,
+            },
+            headers={"Authorization": f"Basic {basic}"},
+            timeout=30.0,
+        )
+    if r.status_code != 200:
+        raise HTTPException(status_code=400, detail="HuggingFace OAuth failed")
+
+    token_data = r.json()
+    session_id = secrets.token_urlsafe(32)
+    sessions[session_id] = token_data
+
+    resp = RedirectResponse("/")
+    resp.set_cookie("lt_session", session_id, httponly=True, samesite="lax")
+    return resp
+
+# ── Proxy everything ────────────────────────────────────────
+@app.api_route("/{path:path}", methods=["GET", "POST", "PUT", "DELETE", "OPTIONS", "HEAD", "PATCH"])
+async def proxy(request: Request, path: str):
+    # Guard /suggest behind HF OAuth
+    if path == "suggest" and request.method == "POST":
+        session = request.cookies.get("lt_session")
+        if not session or session not in sessions:
+            raise HTTPException(
+                status_code=401,
+                detail="You must be logged in with a HuggingFace account to submit suggestions. "
+                       "Visit /auth/login first."
+            )
+
+    # Forward to LibreTranslate
+    async with httpx.AsyncClient() as client:
+        url = f"{LT_INTERNAL}/{path}"
+        if request.query_params:
+            url = f"{url}?{request.query_params}"
+
+        body = await request.body()
+        headers = {
+            k: v for k, v in request.headers.items()
+            if k.lower() not in ("host", "content-length")
+        }
+
+        try:
+            lt_resp = await client.request(
+                method=request.method,
+                url=url,
+                headers=headers,
+                content=body,
+                timeout=60.0,
+                follow_redirects=True,
+            )
+        except Exception as e:
+            raise HTTPException(status_code=502, detail=f"LibreTranslate unreachable: {e}")
+
+    # Strip hop-by-hop headers
+    excluded = {"content-encoding", "transfer-encoding", "content-length"}
+    return Response(
+        content=lt_resp.content,
+        status_code=lt_resp.status_code,
+        headers={k: v for k, v in lt_resp.headers.items() if k.lower() not in excluded},
+    )