use oauth by default (#27)

competitions/app.py

@@ -4,14 +4,13 @@ import threading
 
 import requests
 from fastapi import FastAPI, File, Form, Request, UploadFile
-from fastapi.responses import HTMLResponse, JSONResponse, RedirectResponse
+from fastapi.responses import HTMLResponse, JSONResponse
 from fastapi.staticfiles import StaticFiles
 from fastapi.templating import Jinja2Templates
 from huggingface_hub import hf_hub_download
 from huggingface_hub.utils import disable_progress_bars
 from huggingface_hub.utils._errors import EntryNotFoundError
 from loguru import logger
-from pydantic import BaseModel
 
 from competitions import utils
 from competitions.errors import AuthenticationError
@@ -29,7 +28,6 @@ COMPETITION_ID = os.environ.get("COMPETITION_ID")
 OUTPUT_PATH = os.environ.get("OUTPUT_PATH", "/tmp/model")
 START_DATE = os.environ.get("START_DATE", "2000-12-31")
 DISABLE_PUBLIC_LB = int(os.environ.get("DISABLE_PUBLIC_LB", 0))
-USE_OAUTH = int(os.environ.get("USE_OAUTH", 1))
 VERSION_COMMIT_ID = os.environ.get("VERSION_COMMIT_ID", "0687567")
 
 disable_progress_bars()
@@ -50,28 +48,12 @@ if REQUIREMENTS_FNAME:
     utils.install_requirements(REQUIREMENTS_FNAME)
 
 
-class UserTeamNameUpdate(BaseModel):
-    user_token: str
-    new_team_name: str
-
-
-class User(BaseModel):
-    user_token: str
-
-
-class UserLB(BaseModel):
-    user_token: str
-    lb: str
-
-
-class UserSubmissionUpdate(BaseModel):
-    user_token: str
-    submission_ids: str
-
-
 def run_job_runner():
-    competition_info = CompetitionInfo(competition_id=COMPETITION_ID, autotrain_token=HF_TOKEN)
-    job_runner = JobRunner(token=HF_TOKEN, competition_info=competition_info, output_path=OUTPUT_PATH)
+    job_runner = JobRunner(
+        competition_id=COMPETITION_ID,
+        token=HF_TOKEN,
+        output_path=OUTPUT_PATH,
+    )
     job_runner.run()
 
 
@@ -80,8 +62,7 @@ thread.start()
 
 
 app = FastAPI()
-if USE_OAUTH == 1:
-    attach_oauth(app)
+attach_oauth(app)
 
 static_path = os.path.join(BASE_DIR, "static")
 app.mount("/static", StaticFiles(directory=static_path), name="static")
@@ -109,13 +90,20 @@ async def read_form(request: Request):
     return templates.TemplateResponse("index.html", context)
 
 
-@app.get("/oauth_login", response_class=HTMLResponse)
-async def oauth_login(request: Request):
-    return RedirectResponse("/login/huggingface")
+@app.get("/login_status", response_class=JSONResponse)
+async def use_oauth(request: Request):
+    if request.session.get("oauth_info") is not None:
+        try:
+            utils.user_authentication(request.session.get("oauth_info")["access_token"])
+            return {"response": 2}
+        except requests.exceptions.JSONDecodeError:
+            request.session.pop("oauth_info", None)
+            return {"response": 1}
+    return {"response": 1}
 
 
 @app.get("/logout", response_class=HTMLResponse)
-async def oauth_logout(request: Request):
+async def user_logout(request: Request):
     """Endpoint that logs out the user (e.g. delete cookie session)."""
     request.session.pop("oauth_info", None)
     competition_info = CompetitionInfo(competition_id=COMPETITION_ID, autotrain_token=HF_TOKEN)
@@ -123,29 +111,17 @@ async def oauth_logout(request: Request):
         "request": request,
         "logo": competition_info.logo_url,
         "competition_type": competition_info.competition_type,
+        "version_commit_id": VERSION_COMMIT_ID[:7],
+        "rules_available": competition_info.rules is not None,
     }
 
     return templates.TemplateResponse("index.html", context)
 
 
-@app.get("/use_oauth", response_class=JSONResponse)
-async def use_oauth(request: Request):
-    if USE_OAUTH == 1:
-        if request.session.get("oauth_info") is not None:
-            try:
-                utils.user_authentication(request.session.get("oauth_info")["access_token"])
-                return {"response": 2}
-            except requests.exceptions.JSONDecodeError:
-                request.session.pop("oauth_info", None)
-                return {"response": USE_OAUTH}
-    return {"response": USE_OAUTH}
-
-
 @app.get("/competition_info", response_class=JSONResponse)
 async def get_comp_info(request: Request):
     competition_info = CompetitionInfo(competition_id=COMPETITION_ID, autotrain_token=HF_TOKEN)
     info = competition_info.competition_desc
-    # info = markdown.markdown(info)
     resp = {"response": info}
     return resp
 
@@ -154,7 +130,6 @@ async def get_comp_info(request: Request):
 async def get_dataset_info(request: Request):
     competition_info = CompetitionInfo(competition_id=COMPETITION_ID, autotrain_token=HF_TOKEN)
     info = competition_info.dataset_desc
-    # info = markdown.markdown(info)
     resp = {"response": info}
     return resp
 
@@ -171,21 +146,22 @@ async def get_rules(request: Request):
 async def get_submission_info(request: Request):
     competition_info = CompetitionInfo(competition_id=COMPETITION_ID, autotrain_token=HF_TOKEN)
     info = competition_info.submission_desc
-    # info = markdown.markdown(info)
     resp = {"response": info}
     return resp
 
 
 @app.post("/leaderboard", response_class=JSONResponse)
-async def fetch_leaderboard(request: Request, user_lb: UserLB):
-    if USE_OAUTH == 1:
-        if request.session.get("oauth_info") is not None:
-            user_lb.user_token = request.session.get("oauth_info")["access_token"]
+async def fetch_leaderboard(request: Request, lb: str):
+    if request.session.get("oauth_info") is not None:
+        user_token = request.session.get("oauth_info").get("access_token")
 
     comp_org = COMPETITION_ID.split("/")[0]
-    is_user_admin = utils.is_user_admin(user_lb.user_token, comp_org)
+    if user_token is not None:
+        is_user_admin = utils.is_user_admin(user_token, comp_org)
+    else:
+        is_user_admin = False
 
-    if DISABLE_PUBLIC_LB == 1 and user_lb.lb == "public" and not is_user_admin:
+    if DISABLE_PUBLIC_LB == 1 and lb == "public" and not is_user_admin:
         return {"response": "Public leaderboard is disabled by the competition host."}
 
     competition_info = CompetitionInfo(competition_id=COMPETITION_ID, autotrain_token=HF_TOKEN)
@@ -197,11 +173,11 @@ async def fetch_leaderboard(request: Request, user_lb: UserLB):
         token=HF_TOKEN,
         scoring_metric=competition_info.scoring_metric,
     )
-    if user_lb.lb == "private":
+    if lb == "private":
         current_utc_time = datetime.datetime.now()
         if current_utc_time < competition_info.end_date and not is_user_admin:
             return {"response": "Private leaderboard will be available after the competition ends."}
-    df = leaderboard.fetch(private=user_lb.lb == "private")
+    df = leaderboard.fetch(private=lb == "private")
 
     if len(df) == 0:
         return {"response": "No teams yet. Why not make a submission?"}
@@ -210,10 +186,12 @@ async def fetch_leaderboard(request: Request, user_lb: UserLB):
 
 
 @app.post("/my_submissions", response_class=JSONResponse)
-async def my_submissions(request: Request, user: User):
-    if USE_OAUTH == 1:
-        if request.session.get("oauth_info") is not None:
-            user.user_token = request.session.get("oauth_info")["access_token"]
+async def my_submissions(request: Request):
+    if request.session.get("oauth_info") is not None:
+        user_token = request.session.get("oauth_info")["access_token"]
+    else:
+        user_token = "abc"
+
     competition_info = CompetitionInfo(competition_id=COMPETITION_ID, autotrain_token=HF_TOKEN)
     sub = Submissions(
         end_date=competition_info.end_date,
@@ -224,13 +202,13 @@ async def my_submissions(request: Request, user: User):
         hardware=competition_info.hardware,
     )
     try:
-        subs = sub.my_submissions(user.user_token)
+        subs = sub.my_submissions(user_token)
     except AuthenticationError:
         return {
             "response": {
                 "submissions": "",
                 "submission_text": SUBMISSION_TEXT.format(competition_info.submission_limit),
-                "error": "**Invalid token**",
+                "error": "**Invalid token. Please login.**",
                 "team_name": "",
             }
         }
@@ -243,7 +221,7 @@ async def my_submissions(request: Request, user: User):
     submission_text = SUBMISSION_TEXT.format(competition_info.submission_limit)
     submission_selection_text = SUBMISSION_SELECTION_TEXT.format(competition_info.selection_limit)
 
-    team_name = utils.get_team_name(user.user_token, COMPETITION_ID, HF_TOKEN)
+    team_name = utils.get_team_name(user_token, COMPETITION_ID, HF_TOKEN)
 
     resp = {
         "response": {
@@ -261,15 +239,15 @@ async def new_submission(
     request: Request,
     submission_file: UploadFile = File(None),
     hub_model: str = Form(...),
-    token: str = Form(None),
     submission_comment: str = Form(None),
 ):
     if submission_comment is None:
         submission_comment = ""
 
-    if USE_OAUTH == 1:
-        if request.session.get("oauth_info") is not None:
-            token = request.session.get("oauth_info")["access_token"]
+    if request.session.get("oauth_info") is not None:
+        token = request.session.get("oauth_info")["access_token"]
+    else:
+        token = None
 
     if token is None:
         return {"response": "Invalid token"}
@@ -303,10 +281,11 @@ async def new_submission(
 
 
 @app.post("/update_selected_submissions", response_class=JSONResponse)
-def update_selected_submissions(request: Request, user_sub: UserSubmissionUpdate):
-    if USE_OAUTH == 1:
-        if request.session.get("oauth_info") is not None:
-            user_sub.user_token = request.session.get("oauth_info")["access_token"]
+def update_selected_submissions(request: Request, submission_ids: str):
+    if request.session.get("oauth_info") is not None:
+        user_token = request.session.get("oauth_info")["access_token"]
+    else:
+        return {"success": False, "error": "Invalid token"}
 
     competition_info = CompetitionInfo(competition_id=COMPETITION_ID, autotrain_token=HF_TOKEN)
     sub = Submissions(
@@ -317,25 +296,29 @@ def update_selected_submissions(request: Request, user_sub: UserSubmissionUpdate
         competition_type=competition_info.competition_type,
         hardware=competition_info.hardware,
     )
-    submission_ids = user_sub.submission_ids.split(",")
+    submission_ids = submission_ids.split(",")
     submission_ids = [s.strip() for s in submission_ids]
     if len(submission_ids) > competition_info.selection_limit:
         return {
             "success": False,
             "error": f"Please select at most {competition_info.selection_limit} submissions.",
         }
-    sub.update_selected_submissions(user_token=user_sub.user_token, selected_submission_ids=submission_ids)
+    sub.update_selected_submissions(user_token=user_token, selected_submission_ids=submission_ids)
     return {"success": True, "error": ""}
 
 
 @app.post("/update_team_name", response_class=JSONResponse)
-def update_team_name(request: Request, user_team: UserTeamNameUpdate):
-    if USE_OAUTH == 1:
-        if request.session.get("oauth_info") is not None:
-            user_team.user_token = request.session.get("oauth_info")["access_token"]
+def update_team_name(request: Request, new_team_name: str):
+    if request.session.get("oauth_info") is not None:
+        user_token = request.session.get("oauth_info")["access_token"]
+    else:
+        return {"success": False, "error": "Invalid token"}
+
+    if str(new_team_name).strip() == "":
+        return {"success": False, "error": "Team name cannot be empty."}
 
     try:
-        utils.update_team_name(user_team.user_token, user_team.new_team_name, COMPETITION_ID, HF_TOKEN)
+        utils.update_team_name(user_token, new_team_name, COMPETITION_ID, HF_TOKEN)
         return {"success": True, "error": ""}
     except Exception as e:
         return {"success": False, "error": str(e)}

competitions/create.py

@@ -253,7 +253,6 @@ def _create(
         private=True,
     )
     api.add_space_secret(repo_id=f"{organization}/{competition_name}", key="HF_TOKEN", value=user_token)
-    api.add_space_secret(repo_id=f"{organization}/{competition_name}", key="USE_OAUTH", value="1")
     api.add_space_secret(
         repo_id=f"{organization}/{competition_name}",
         key="COMPETITION_ID",

competitions/oauth.py

@@ -25,10 +25,7 @@ RANDOM_STRING = "".join(random.choices(string.ascii_letters + string.digits, k=2
 
 
 def attach_oauth(app: fastapi.FastAPI):
-    if os.environ.get("SPACE_ID") is not None and int(os.environ.get("USE_OAUTH", 0)) == 1:
-        _add_oauth_routes(app)
-    else:
-        return
+    _add_oauth_routes(app)
     # Session Middleware requires a secret key to sign the cookies. Let's use a hash
     # of the OAuth secret key to make it unique to the Space + updated in case OAuth
     # config gets updated.
@@ -86,8 +83,21 @@ def _add_oauth_routes(app: fastapi.FastAPI) -> None:
         try:
             oauth_info = await oauth.huggingface.authorize_access_token(request)  # type: ignore
         except MismatchingStateError:
-            print("Session dict:", dict(request.session))
-            raise
+            # If the state mismatch, it is very likely that the cookie is corrupted.
+            # There is a bug reported in authlib that causes the token to grow indefinitely if the user tries to login
+            # repeatedly. Since cookies cannot get bigger than 4kb, the token will be truncated at some point - hence
+            # losing the state. A workaround is to delete the cookie and redirect the user to the login page again.
+            # See https://github.com/lepture/authlib/issues/622 for more details.
+            login_uri = "/login/huggingface"
+            if "_target_url" in request.query_params:
+                login_uri += "?" + urllib.parse.urlencode(  # Keep same _target_url as before
+                    {"_target_url": request.query_params["_target_url"]}
+                )
+            for key in list(request.session.keys()):
+                # Delete all keys that are related to the OAuth state
+                if key.startswith("_state_huggingface"):
+                    request.session.pop(key)
+            return RedirectResponse(login_uri)
         request.session["oauth_info"] = oauth_info
         return _redirect_to_target(request)
 

competitions/runner.py

@@ -26,11 +26,12 @@ _DOCKERFILE = _DOCKERFILE.replace("\n", " ").replace("  ", "\n").strip()
 
 @dataclass
 class JobRunner:
-    competition_info: CompetitionInfo
+    competition_id: str
     token: str
     output_path: str
 
     def __post_init__(self):
+        self.competition_info = CompetitionInfo(competition_id=self.competition_id, autotrain_token=self.token)
         self.competition_id = self.competition_info.competition_id
         self.competition_type = self.competition_info.competition_type
         self.metric = self.competition_info.metric

competitions/templates/index.html

@@ -70,10 +70,8 @@
                 const articleLoadingSpinner = document.getElementById('articleLoadingSpinner');
                 articleLoadingSpinner.classList.remove('hidden');
 
-                const userToken = document.getElementById('user_token').value;
                 const payload = {
                     lb: leaderboardType,
-                    user_token: userToken
                 };
 
                 fetch('/leaderboard', {
@@ -109,7 +107,6 @@
             }
 
             function fetchAndDisplaySubmissions() {
-                const userToken = document.getElementById('user_token').value;
                 const apiEndpoint = '/my_submissions';
                 const articleLoadingSpinner = document.getElementById('articleLoadingSpinner');
                 articleLoadingSpinner.classList.remove('hidden');
@@ -118,8 +115,7 @@
                     method: 'POST',
                     headers: {
                         'Content-Type': 'application/json',
-                    },
-                    body: JSON.stringify({ "user_token": userToken })
+                    }
                 };
 
                 fetch(apiEndpoint, requestOptions)
@@ -160,10 +156,10 @@
                             // add a text field which displays team name and a button to update team name
                             contentDiv.innerHTML = marked.parse(data.response.submission_text) + tableHTML;
                             document.getElementById('updateSelectedSubmissionsButton').addEventListener('click', function () {
-                                updateSelectedSubmissions(userToken);
+                                updateSelectedSubmissions();
                             });
                             document.getElementById('updateTeamNameButton').addEventListener('click', function () {
-                                updateTeamName(userToken);
+                                updateTeamName();
                             });
                         } else {
                             // Display message if there are no submissions
@@ -201,7 +197,6 @@
 
             function fetchAndDisplayTeamInfo() {
                 const apiEndpoint = '/team_info';
-                const userToken = document.getElementById('user_token').value;
                 const articleLoadingSpinner = document.getElementById('articleLoadingSpinner');
                 articleLoadingSpinner.classList.remove('hidden');
 
@@ -209,8 +204,7 @@
                     method: 'POST',
                     headers: {
                         'Content-Type': 'application/json',
-                    },
-                    body: JSON.stringify({ "user_token": userToken })
+                    }
                 };
                 fetch(apiEndpoint, requestOptions)
                     .then(response => {
@@ -332,20 +326,17 @@
         }
 
         function checkOAuth() {
-            var url = "/use_oauth";
+            var url = "/login_status";
             makeApiRequest(url, function (response) {
                 if (response === 1) {
-                    document.getElementById("userToken").style.display = "none";
                     document.getElementById("loginButton").style.display = "block";
                     document.getElementById("logoutButton").style.display = "none";
                 } else if (response === 2) {
-                    document.getElementById("userToken").style.display = "none";
                     document.getElementById("loginButton").style.display = "none";
                     document.getElementById("logoutButton").style.display = "block";
                 }
             });
         }
-
         window.onload = checkOAuth;
     </script>
 </head>
@@ -463,13 +454,6 @@
                         </li>
                     </ul>
                 </li>
-                <li id="userToken">
-                    <label for="user_token" class="text-xs font-medium">Hugging Face <a
-                            href="https://huggingface.co/settings/tokens" target="_blank">Token</a> (read-only)
-                    </label>
-                    <input type="password" name="user_token" id="user_token"
-                        class="mt-1 block w-full border border-gray-300 px-3 py-1.5 bg-white rounded-md shadow-sm focus:outline-none focus:ring-indigo-500 focus:border-indigo-500">
-                </li>
                 <li id="loginButton" style="display: none;">
                     <a href="/login/huggingface" target="_blank"
                         class="flex bg-blue-500 hover:bg-blue-700 text-white text-center font-bold py-2 px-4 rounded">Login
@@ -589,9 +573,6 @@
                 return;
             }
 
-            var token = document.getElementById('user_token').value;
-            formData.append('token', token);
-
             var submissionComment = document.getElementById('submission_comment').value;
             formData.append('submission_comment', submissionComment);
 
@@ -615,7 +596,7 @@
 </script>
 
 <script>
-    function updateSelectedSubmissions(userToken) {
+    function updateSelectedSubmissions() {
         const selectedSubmissions = document.querySelectorAll('input[name="selectedSubmissions"]:checked');
         const articleLoadingSpinner = document.getElementById('articleLoadingSpinner');
         articleLoadingSpinner.classList.remove('hidden');
@@ -631,7 +612,6 @@
                 'Content-Type': 'application/json',
             },
             body: JSON.stringify({
-                "user_token": userToken,
                 "submission_ids": selectedSubmissionIds.join(',')
             })
         };
@@ -664,7 +644,7 @@
 </script>
 
 <script>
-    function updateTeamName(userToken) {
+    function updateTeamName() {
         const teamName = document.getElementById('team_name').value;
         const articleLoadingSpinner = document.getElementById('articleLoadingSpinner');
         articleLoadingSpinner.classList.remove('hidden');
@@ -676,7 +656,6 @@
                 'Content-Type': 'application/json',
             },
             body: JSON.stringify({
-                "user_token": userToken,
                 "new_team_name": teamName
             })
         };