Upload app.py with huggingface_hub

app.py

@@ -108,8 +108,13 @@ app.add_middleware(
     secret_key=SESSION_SECRET,
     session_cookie="hp_session",
     max_age=60 * 60 * 24 * 30,  # 30 days
-    https_only=False,           # works in local dev; HF terminates TLS upstream
-    same_site="lax",
+    # On HF Spaces the dashboard runs inside an iframe at huggingface.co, so
+    # the Space's own cookies are "cross-site" relative to the parent page.
+    # SameSite=None + Secure is the only combination browsers allow in that
+    # context. We toggle based on OAuth being configured (i.e. deployed to a
+    # real Space) so local dev keeps working over plain HTTP.
+    same_site="none" if OAUTH_CLIENT_ID else "lax",
+    https_only=bool(OAUTH_CLIENT_ID),
 )