Spaces:

seriousmountain
/

vercel-demo

Sleeping

tumberger commited on Aug 17, 2025

Commit

22da39f

1 Parent(s): 0836b60

Add security headers to allow Hugging Face iframe embedding

Files changed (3) hide show

app/(auth)/auth.config.ts CHANGED Viewed

@@ -10,32 +10,4 @@ export const authConfig = {
     // while this file is also used in non-Node.js environments
   ],
   callbacks: {},
-  cookies: {
-    sessionToken: {
-      name: `__Secure-next-auth.session-token`,
-      options: {
-        httpOnly: true,
-        sameSite: 'none',
-        path: '/',
-        secure: true,
-      },
-    },
-    callbackUrl: {
-      name: `__Secure-next-auth.callback-url`,
-      options: {
-        sameSite: 'none',
-        path: '/',
-        secure: true,
-      },
-    },
-    csrfToken: {
-      name: `__Host-next-auth.csrf-token`,
-      options: {
-        httpOnly: true,
-        sameSite: 'none',
-        path: '/',
-        secure: true,
-      },
-    },
-  },
 } satisfies NextAuthConfig;

     // while this file is also used in non-Node.js environments
   ],
   callbacks: {},
 } satisfies NextAuthConfig;

middleware.ts CHANGED Viewed

@@ -20,27 +20,15 @@ export async function middleware(request: NextRequest) {
   const token = await getToken({
     req: request,
     secret: process.env.AUTH_SECRET,
-    secureCookie: true,
-    cookieName: '__Secure-next-auth.session-token',
   });
   if (!token) {
     const redirectUrl = encodeURIComponent(request.url);
-    // Allow a few retries before redirecting to avoid loops
-    const retryCount = request.cookies.get('auth-retry')?.value || '0';
-    if (parseInt(retryCount) > 2) {
-      // Clear retry count and continue without auth
-      const response = NextResponse.next();
-      response.cookies.delete('auth-retry');
-      return response;
-    }
-    const response = NextResponse.redirect(
       new URL(`/api/auth/guest?redirectUrl=${redirectUrl}`, request.url),
     );
-    response.cookies.set('auth-retry', String(parseInt(retryCount) + 1));
-    return response;
   }
   const isGuest = guestRegex.test(token?.email ?? '');

   const token = await getToken({
     req: request,
     secret: process.env.AUTH_SECRET,
+    secureCookie: !isDevelopmentEnvironment,
   });
   if (!token) {
     const redirectUrl = encodeURIComponent(request.url);
+    return NextResponse.redirect(
       new URL(`/api/auth/guest?redirectUrl=${redirectUrl}`, request.url),
     );
   }
   const isGuest = guestRegex.test(token?.email ?? '');

next.config.ts CHANGED Viewed

@@ -12,6 +12,39 @@ const nextConfig: NextConfig = {
       },
     ],
   },
 };
 export default nextConfig;

       },
     ],
   },
+  async headers() {
+    return [
+      {
+        source: '/:path*',
+        headers: [
+          {
+            key: 'Content-Security-Policy',
+            value: 'frame-ancestors https://huggingface.co https://*.hf.space https://seriousmountain-vercel-demo.hf.space;',
+          },
+          {
+            key: 'X-Frame-Options',
+            value: 'ALLOWALL',
+          },
+          {
+            key: 'Access-Control-Allow-Origin',
+            value: 'https://huggingface.co',
+          },
+          {
+            key: 'Access-Control-Allow-Credentials',
+            value: 'true',
+          },
+          {
+            key: 'Access-Control-Allow-Methods',
+            value: 'GET, POST, PUT, DELETE, OPTIONS',
+          },
+          {
+            key: 'Access-Control-Allow-Headers',
+            value: 'X-Requested-With, Content-Type, Authorization',
+          },
+        ],
+      },
+    ];
+  },
 };
 export default nextConfig;