Upload folder using huggingface_hub

app.py

@@ -29,6 +29,7 @@ import logging
 import os
 import re
 import secrets
+import time
 from contextlib import asynccontextmanager
 from datetime import datetime, timezone
 from pathlib import Path
@@ -83,15 +84,32 @@ async def lifespan(app: FastAPI):
     headers: dict[str, str] = {}
     if HF_TOKEN:
         headers["Authorization"] = f"Bearer {HF_TOKEN}"
+    # Connection pool: ~100+ files fan-out per /api/messages call. Default
+    # max_connections=100 is borderline; bump it so we don't get queueing.
     app.state.client = httpx.AsyncClient(
         headers=headers,
         timeout=httpx.Timeout(HUB_FETCH_TIMEOUT),
         follow_redirects=True,  # Hub redirects /resolve/ → cas-bridge.xethub
+        limits=httpx.Limits(max_connections=200, max_keepalive_connections=50),
     )
     if LOCAL_BUCKET_DIR:
         log.info("Local mode — reading from %s", LOCAL_BUCKET_DIR)
     elif HF_TOKEN:
         log.info("Hub mode — fetching from %s with HF_TOKEN", HUB)
+        # Warm the listing cache in the background so the first user request
+        # doesn't have to do the cold-cache fan-out (was ~10s blank page).
+        async def _warm_cache():
+            try:
+                await asyncio.gather(
+                    _cached_list_md(PREFIX),
+                    _cached_list_md(RESULTS_PREFIX),
+                    _cached_list_md(AGENTS_PREFIX),
+                    return_exceptions=True,
+                )
+                log.info("Cache warm-up complete.")
+            except Exception as e:
+                log.warning("Cache warm-up failed: %s", e)
+        asyncio.create_task(_warm_cache())
     else:
         log.warning(
             "Neither LOCAL_BUCKET_DIR nor HF_TOKEN is set. /api/* will 401."
@@ -177,14 +195,28 @@ async def login(request: Request):
 
 @app.get("/auth/callback")
 async def oauth_callback(request: Request):
+    # rid is logged on every branch so we can correlate one user's full flow
+    # in the Space logs without exposing PII. Surfaced back via header for
+    # browser-side correlation.
+    rid = secrets.token_hex(4)
     error = request.query_params.get("error")
     if error:
+        log.warning("[oauth %s] provider error=%s desc=%s", rid, error, request.query_params.get("error_description", "")[:200])
         return RedirectResponse(f"/?login_error={error}")
     code = request.query_params.get("code")
     state = request.query_params.get("state")
-    if not code or not state or state != request.session.get("oauth_state"):
+    session_state = request.session.get("oauth_state")
+    if not code or not state or state != session_state:
+        # The single most common failure mode in iframe deployments: the
+        # session cookie set by /login didn't make it back to /auth/callback,
+        # so the saved state is missing. Log enough to tell which it is.
+        log.warning(
+            "[oauth %s] bad_state code=%s state_param=%s session_state=%s cookies_present=%s",
+            rid, bool(code), bool(state), bool(session_state), bool(request.cookies),
+        )
         return RedirectResponse("/?login_error=bad_state")
     if not (OAUTH_CLIENT_ID and OAUTH_CLIENT_SECRET):
+        log.warning("[oauth %s] server_unconfigured", rid)
         return RedirectResponse("/?login_error=server_unconfigured")
 
     # Use a fresh client so we don't inherit `Authorization: Bearer HF_TOKEN`
@@ -204,10 +236,11 @@ async def oauth_callback(request: Request):
                 headers={"Accept": "application/json"},
             )
             if not token_resp.is_success:
-                log.warning("OAuth token exchange failed: %s %s", token_resp.status_code, token_resp.text[:200])
+                log.warning("[oauth %s] token_exchange status=%s body=%s", rid, token_resp.status_code, token_resp.text[:300])
                 return RedirectResponse("/?login_error=token_exchange")
             access_token = token_resp.json().get("access_token")
             if not access_token:
+                log.warning("[oauth %s] no_token body=%s", rid, token_resp.text[:200])
                 return RedirectResponse("/?login_error=no_token")
 
             me_resp = await oauth_client.get(
@@ -215,15 +248,18 @@ async def oauth_callback(request: Request):
                 headers={"Authorization": f"Bearer {access_token}"},
             )
         if not me_resp.is_success:
+            log.warning("[oauth %s] whoami status=%s body=%s", rid, me_resp.status_code, me_resp.text[:200])
             return RedirectResponse("/?login_error=whoami")
         me = me_resp.json()
         username = me.get("name") or me.get("preferred_username")
         if not username:
+            log.warning("[oauth %s] no_username keys=%s", rid, sorted(me.keys()))
             return RedirectResponse("/?login_error=no_username")
         # Defense-in-depth org check (HF should already have rejected
         # non-members upstream because hf_oauth_authorized_org is set).
         org_names = {o.get("name") for o in (me.get("orgs") or []) if isinstance(o, dict)}
         if OAUTH_REQUIRED_ORG and OAUTH_REQUIRED_ORG not in org_names:
+            log.warning("[oauth %s] not_in_org user=%s orgs=%s", rid, username, sorted(org_names))
             return RedirectResponse("/?login_error=not_in_org")
 
         request.session["user"] = username
@@ -233,9 +269,10 @@ async def oauth_callback(request: Request):
         request.session["access_token"] = access_token
         request.session.pop("oauth_state", None)
         next_url = request.session.pop("oauth_next", "/")
+        log.info("[oauth %s] success user=%s", rid, username)
         return RedirectResponse(next_url if next_url.startswith("/") else "/")
     except Exception as e:
-        log.warning("OAuth callback error: %s", e)
+        log.warning("[oauth %s] exception %s: %s", rid, type(e).__name__, e)
         return RedirectResponse("/?login_error=exception")
 
 
@@ -312,32 +349,63 @@ async def _list_md_hub(prefix: str) -> list[dict[str, str]]:
     return [r for r in results if r is not None]
 
 
+# ──────────────────────────────────────────────────────────────
+# Listing cache
+#
+# Each /api/messages call fans out ~100+ HTTP GETs to the Hub, which costs
+# ~10s on a cold CDN cache. The frontend polls every 30s and multiple users
+# may be open at once, so we put a short in-process TTL cache in front of
+# every listing endpoint. Single-flight via per-prefix asyncio.Lock prevents
+# the thundering herd of concurrent first-time loads from each issuing
+# their own fan-out.
+# ──────────────────────────────────────────────────────────────
+LIST_CACHE_TTL = float(os.environ.get("LIST_CACHE_TTL", "20.0"))
+_list_cache: dict[str, tuple[float, list[dict[str, str]]]] = {}
+_list_locks: dict[str, asyncio.Lock] = {}
+
+
+async def _cached_list_md(prefix: str) -> list[dict[str, str]]:
+    if LOCAL_BUCKET_DIR:
+        # Filesystem reads are instant; no cache needed.
+        return _list_md_local(prefix)
+    now = time.monotonic()
+    cached = _list_cache.get(prefix)
+    if cached and (now - cached[0]) < LIST_CACHE_TTL:
+        return cached[1]
+    lock = _list_locks.setdefault(prefix, asyncio.Lock())
+    async with lock:
+        # Re-check under the lock — another coroutine may have refreshed
+        # the cache while we were waiting.
+        cached = _list_cache.get(prefix)
+        if cached and (time.monotonic() - cached[0]) < LIST_CACHE_TTL:
+            return cached[1]
+        items = await _list_md_hub(prefix)
+        _list_cache[prefix] = (time.monotonic(), items)
+        return items
+
+
+def _invalidate_list_cache(prefix: str) -> None:
+    _list_cache.pop(prefix, None)
+
+
 # ──────────────────────────────────────────────────────────────
 # /api/messages and /api/results
 # ──────────────────────────────────────────────────────────────
 @app.get("/api/messages")
 async def messages() -> dict[str, Any]:
-    items = _list_md_local(PREFIX) if LOCAL_BUCKET_DIR else await _list_md_hub(PREFIX)
+    items = await _cached_list_md(PREFIX)
     return {"items": items, "count": len(items)}
 
 
 @app.get("/api/results")
 async def results() -> dict[str, Any]:
-    items = (
-        _list_md_local(RESULTS_PREFIX)
-        if LOCAL_BUCKET_DIR
-        else await _list_md_hub(RESULTS_PREFIX)
-    )
+    items = await _cached_list_md(RESULTS_PREFIX)
     return {"items": items, "count": len(items)}
 
 
 @app.get("/api/agents")
 async def agents() -> dict[str, Any]:
-    items = (
-        _list_md_local(AGENTS_PREFIX)
-        if LOCAL_BUCKET_DIR
-        else await _list_md_hub(AGENTS_PREFIX)
-    )
+    items = await _cached_list_md(AGENTS_PREFIX)
     return {"items": items, "count": len(items)}
 
 
@@ -431,6 +499,9 @@ async def post_message(post: MessagePost, request: Request) -> dict[str, Any]:
         except Exception as e:
             log.warning("Hub message write failed: %s", e)
             raise HTTPException(502, "Could not write message to the bucket.") from e
+    # Bust the cache so other users see this message on their next poll
+    # rather than waiting for the TTL.
+    _invalidate_list_cache(PREFIX)
     return {"item": {"filename": filename, "content": content}}
 
 

static/index.html

@@ -1685,6 +1685,32 @@ refreshBtn.addEventListener('click', async () => {
 let postingMessage = false;
 let me = { logged_in: false };  // populated by /api/me on init
 
+// Surface OAuth callback errors. /auth/callback redirects to /?login_error=X
+// when something fails. We pull it out on boot, clean the URL, and show it
+// in the composer status until the user attempts another login.
+const LOGIN_ERROR_HINTS = {
+  bad_state: 'session cookie was lost between /login and /auth/callback (often Safari/iframe third-party cookie blocking)',
+  token_exchange: 'HF rejected the OAuth code exchange',
+  no_token: 'HF returned no access_token',
+  whoami: 'could not fetch your HF profile after login',
+  no_username: 'HF profile had no username',
+  not_in_org: 'your account is not a member of ml-intern-explorers',
+  exception: 'unexpected server error during login',
+  server_unconfigured: 'OAuth is not configured on this Space',
+  access_denied: 'you cancelled the authorization screen',
+};
+let lastLoginError = '';
+(() => {
+  const params = new URLSearchParams(window.location.search);
+  const err = params.get('login_error');
+  if (err) {
+    lastLoginError = err;
+    params.delete('login_error');
+    const qs = params.toString();
+    history.replaceState({}, '', window.location.pathname + (qs ? `?${qs}` : '') + window.location.hash);
+  }
+})();
+
 function setComposerStatus(html = '', isError = false) {
   composerStatus.innerHTML = html;
   composerStatus.classList.toggle('error', isError);
@@ -1698,7 +1724,16 @@ function syncComposerState() {
     sendBtn.classList.add('login');
     sendBtn.textContent = 'Log in to post a message';
     humanMessageInput.disabled = true;
-    setComposerStatus('Sign in with Hugging Face — only members of <strong>ml-intern-explorers</strong> can post.');
+    if (lastLoginError) {
+      const hint = LOGIN_ERROR_HINTS[lastLoginError] || lastLoginError;
+      setComposerStatus(
+        `<strong>Login failed:</strong> ${escapeHtml(hint)}. ` +
+        `Try again, or open the dashboard directly at <a href="${window.location.origin}" target="_top">${escapeHtml(window.location.host)}</a>.`,
+        true,
+      );
+    } else {
+      setComposerStatus('Sign in with Hugging Face — only members of <strong>ml-intern-explorers</strong> can post.');
+    }
     return;
   }
   sendBtn.classList.remove('login');
@@ -1724,11 +1759,33 @@ async function refreshMe() {
 humanMessageInput.addEventListener('input', syncComposerState);
 clearQuoteBtn.addEventListener('click', clearPendingQuote);
 
+// When the dashboard runs inside the huggingface.co/spaces/... iframe, the
+// Space cookies are "third-party". Modern browsers (Safari ITP especially)
+// drop those cookies, breaking session-based auth. Navigating the *top*
+// frame to /login means the entire OAuth round-trip happens at *.hf.space
+// as a first-party context, so the session cookie sticks for everyone.
+function startLogin() {
+  const loginUrl = window.location.origin + '/login';
+  if (window.self !== window.top) {
+    // Cross-origin parents allow child frames to *write* top.location.href
+    // (the read is what's blocked), so this works even from inside HF's
+    // iframe. After OAuth, the user lands at *.hf.space top-level.
+    try {
+      window.top.location.href = loginUrl;
+      return;
+    } catch {
+      // Fall through to same-frame nav if the parent has unusual policies.
+    }
+  }
+  window.location.href = loginUrl;
+}
+
 messageComposer.addEventListener('submit', async e => {
   e.preventDefault();
   if (!me.logged_in) {
     // Treat the button as a login CTA when logged out.
-    window.location.href = '/login';
+    lastLoginError = '';  // user is retrying; clear any stale banner
+    startLogin();
     return;
   }
   const body = humanMessageInput.value.trim();