Hugging Face's logo

Spaces:
smolagents
/
ml-intern
Running on CPU Upgrade

App Files Community
33
tfrere HF Staff Cursor commited on
Commit
c7010b3
·
1 Parent(s): 423399c

Fix OAuth: fallback to /auth/login when client-side OAuth unavailable

Browse files
Files changed (2) hide show
  1. frontend/src/components/WelcomeScreen/WelcomeScreen.tsx +2 -5
  2. frontend/src/hooks/useAuth.ts +25 -13
frontend/src/components/WelcomeScreen/WelcomeScreen.tsx CHANGED
@@ -25,11 +25,8 @@ export default function WelcomeScreen() {
25
 
26
  // If no token stored, trigger OAuth login first
27
  if (!getStoredToken()) {
28
- try {
29
- await triggerLogin();
30
- } catch {
31
- setError('Could not open login page. Please try again.');
32
- }
33
  return;
34
  }
35
 
 
25
 
26
  // If no token stored, trigger OAuth login first
27
  if (!getStoredToken()) {
28
+ await triggerLogin();
29
+ // If we're still here (popup opened, or redirect happening), just return
 
 
 
30
  return;
31
  }
32
 
frontend/src/hooks/useAuth.ts CHANGED
@@ -31,23 +31,35 @@ export function clearStoredToken(): void {
31
  }
32
 
33
  /** Redirect to HF OAuth login.
34
- * Uses window.open as fallback for iframe environments where
35
- * top-level navigation is blocked by sandbox restrictions. */
 
 
36
  export async function triggerLogin(): Promise<void> {
37
- const url = await oauthLoginUrl({
38
- scopes: 'openid profile read-repos write-repos manage-repos inference-api jobs',
39
- });
40
- // Try top-level navigation first; if we're in an iframe, open a new tab
41
  try {
42
- if (window.top !== window.self) {
43
- // We're in an iframe — open in parent or new tab
44
- window.open(url, '_blank');
45
- } else {
46
- window.location.href = url;
47
- }
 
 
 
 
 
 
 
48
  } catch {
49
- // SecurityError from cross-origin iframe — open in new tab
 
 
 
50
  window.open(url, '_blank');
 
 
51
  }
52
  }
53
 
 
31
  }
32
 
33
  /** Redirect to HF OAuth login.
34
+ * Strategy:
35
+ * 1. Try @huggingface/hub client-side OAuth (works in HF iframe with window.huggingface)
36
+ * 2. Fall back to server-side /auth/login (works on direct access, handles cookies)
37
+ * 3. In iframe context, open in new tab to avoid cookie issues */
38
  export async function triggerLogin(): Promise<void> {
39
+ let url: string;
40
+
 
 
41
  try {
42
+ // Client-side OAuth — needs window.huggingface (HF iframe only)
43
+ url = await oauthLoginUrl({
44
+ scopes: 'openid profile read-repos write-repos manage-repos inference-api jobs',
45
+ });
46
+ } catch {
47
+ // Fallback: server-side OAuth (works on direct access)
48
+ url = '/auth/login';
49
+ }
50
+
51
+ // In an iframe, open in a new tab (cookies blocked otherwise)
52
+ let inIframe = false;
53
+ try {
54
+ inIframe = window.top !== window.self;
55
  } catch {
56
+ inIframe = true; // SecurityError = cross-origin iframe
57
+ }
58
+
59
+ if (inIframe) {
60
  window.open(url, '_blank');
61
+ } else {
62
+ window.location.href = url;
63
  }
64
  }
65