Hugging Face's logo

Spaces:
Really-amin
/
Datasourceforcryptocurrency-2
Paused

App Files Community
Datasourceforcryptocurrency-2 / api /hf_auth.py
Really-amin's picture
Really-amin
Upload 636 files
6992ad0 verified
raw
history blame contribute delete
4.63 kB
 """
HuggingFace Space Authentication
Authentication middleware for HuggingFace Space API endpoints
CRITICAL RULES:
- Verify HF_TOKEN from environment
- Return error if token missing or invalid
- NO bypass - authentication is REQUIRED
"""
import os
import logging
from fastapi import Security, HTTPException, status, Header
from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
from typing import Optional
logger = logging.getLogger(__name__)
# Get HF_TOKEN from environment - REQUIRED for authentication
HF_TOKEN_ENV = os.getenv("HF_TOKEN") or os.getenv("HUGGINGFACE_TOKEN")
# CRITICAL: TEST MODE for development/testing
TEST_MODE = os.getenv("TEST_MODE", "false").lower() == "true"
if TEST_MODE:
logger.warning("=" * 80)
logger.warning("🧪 TEST MODE ACTIVE - Authentication bypass enabled!")
logger.warning(" Set TEST_MODE=false in production")
logger.warning("=" * 80)
# Security scheme
security = HTTPBearer(auto_error=False)
async def verify_hf_token(
credentials: Optional[HTTPAuthorizationCredentials] = Security(security),
authorization: Optional[str] = Header(None)
) -> bool:
"""
Verify HuggingFace API token
CRITICAL RULES:
1. MUST check credentials from Bearer token OR Authorization header
2. MUST compare with HF_TOKEN from environment
3. MUST return 401 if token missing or invalid
4. NO fake authentication - REAL token verification ONLY
Args:
credentials: HTTP Bearer token credentials
authorization: Authorization header (fallback)
Returns:
bool: True if authenticated
Raises:
HTTPException: 401 if authentication fails
"""
# Get token from credentials or header
provided_token = None
if credentials:
provided_token = credentials.credentials
elif authorization:
# Handle "Bearer TOKEN" format
if authorization.startswith("Bearer "):
provided_token = authorization[7:]
else:
provided_token = authorization
# CRITICAL: Allow bypass in TEST_MODE for development
if TEST_MODE:
logger.info("✅ TEST MODE: Authentication bypassed")
return {
"user_id": "test_user",
"username": "test_user",
"test_mode": True,
"access_level": "full",
"note": "TEST_MODE active - no real authentication"
}
# If no token provided, return 401
if not provided_token:
logger.warning("Authentication failed: No token provided")
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail={
"success": False,
"error": "Authentication required. Please provide HF_TOKEN in Authorization header.",
"source": "hf_engine",
"hint": "For development: Set TEST_MODE=true in .env"
},
headers={"WWW-Authenticate": "Bearer"}
)
# If HF_TOKEN not configured in environment, return 401
if not HF_TOKEN_ENV:
logger.error("HF_TOKEN not configured in environment")
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail={
"success": False,
"error": "HF_TOKEN not configured on server. Please set HF_TOKEN environment variable.",
"source": "hf_engine"
}
)
# Verify token matches
# CRITICAL: This is REAL token verification - NO bypass
if provided_token != HF_TOKEN_ENV:
logger.warning(f"Authentication failed: Invalid token provided (length: {len(provided_token)})")
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail={
"success": False,
"error": "Invalid authentication token",
"source": "hf_engine"
},
headers={"WWW-Authenticate": "Bearer"}
)
# Token is valid
logger.info("Authentication successful")
return True
async def optional_hf_token(
credentials: Optional[HTTPAuthorizationCredentials] = Security(security),
authorization: Optional[str] = Header(None)
) -> Optional[bool]:
"""
Optional HF token verification (for endpoints that can work without auth)
Returns:
Optional[bool]: True if authenticated, None if no token provided
"""
try:
return await verify_hf_token(credentials, authorization)
except HTTPException:
# Return None if authentication fails (optional mode)
return None