OAuth Login Fix for HuggingFace
Problem Fixed ✅
Issue: Google OAuth login was failing on HuggingFace with the error:
🔐 Stored token found: false
🔐 No token found - user not authenticated
Root Cause: The OAuth callback was redirecting to http://localhost:5173/?token=... instead of staying on the HuggingFace domain.
Solution: Updated callback to use relative redirects (/?token=...) on same-domain deployments like HuggingFace.
How OAuth Login Works Now
Flow Diagram:
1. User clicks "Login with Google"
↓
2. Frontend → /auth/login/google
↓
3. Backend → Redirects to Google
↓
4. Google → User approves
↓
5. Google → /auth/callback/google?code=xxx&state=yyy
↓
6. Backend → Exchanges code for access token
↓
7. Backend → Gets user info from Google
↓
8. Backend → Creates/updates user in database
↓
9. Backend → Creates JWT token
↓
10. Backend → Redirects to /?token=JWT_TOKEN ← FIXED!
↓
11. Frontend → Detects token in URL
↓
12. Frontend → Saves token to localStorage
↓
13. Frontend → Fetches user data from /auth/me
↓
14. ✅ User is logged in!
What Changed
Before (Broken on HuggingFace):
# api/routes/auth.py - OLD CODE
frontend_url = os.getenv('FRONTEND_URL', 'http://localhost:5173')
redirect_url = oauth_state.redirect_uri or frontend_url
return RedirectResponse(url=f"{redirect_url}?token={jwt_token}")
Problem: Always redirected to localhost, which doesn't exist on HuggingFace!
After (Works on HuggingFace):
# api/routes/auth.py - NEW CODE
frontend_url = os.getenv('FRONTEND_URL', '')
# If FRONTEND_URL is localhost or not set, use relative redirect
if not frontend_url or 'localhost' in frontend_url:
redirect_url = oauth_state.redirect_uri or '/'
else:
redirect_url = oauth_state.redirect_uri or frontend_url
return RedirectResponse(url=f"{redirect_url}?token={jwt_token}")
Solution:
- On HuggingFace (same domain): Redirects to
/?token=...(relative) - On local dev (separate servers): Redirects to
http://localhost:5173/?token=...(absolute)
Testing the Fix
On HuggingFace (www.communityone.com):
- Go to: https://www.communityone.com
- Click: "Login with Google"
- Observe: You should be redirected to Google
- After approving: You should return to www.communityone.com (NOT localhost!)
- Check browser console:
🔐 OAuth callback - Token received from URL🔐 Token preview: eyJhbGciOiJIUzI1NiIs...✅ User data loaded: {id: 1, email: "user@example.com"}
- Verify: Your avatar should appear in top right corner
Expected Console Output (Success):
🔐 Auth initialization starting...
🔐 Current URL: https://www.communityone.com/?token=eyJhbGc...
🔐 OAuth callback - Token received from URL
🔐 Token preview: eyJhbGciOiJIUzI1NiIs...
🔐 Fetching user data from: /api/auth/me
🔐 Response status: 200
✅ User data loaded: {id: 1, email: "you@gmail.com", ...}
🔐 User state changed: {user: {id: 1, email: "you@gmail.com"}, isAuthenticated: true}
HuggingFace Secrets Configuration
Required Secrets (already configured):
# Google OAuth
GOOGLE_CLIENT_ID=your-google-client-id.apps.googleusercontent.com
GOOGLE_CLIENT_SECRET=your-google-client-secret
# JWT Authentication
JWT_SECRET_KEY=your-random-secret-key
# API Base URL (for OAuth callbacks)
API_BASE_URL=https://www.communityone.com
Optional Secret (NOT needed with this fix):
# Frontend URL - can be empty or set to production URL
FRONTEND_URL=https://www.communityone.com
# OR leave empty - both work now!
Why it's optional now: The code auto-detects same-domain deployment and uses relative redirects.
Google OAuth Configuration
Make sure your Google Cloud Console has the correct redirect URI:
- Go to: https://console.cloud.google.com
- Navigate to: APIs & Services → Credentials
- Select: Your OAuth 2.0 Client ID
- Authorized redirect URIs must include:
https://www.communityone.com/auth/callback/google
- For local dev, also add:
http://localhost:8000/auth/callback/google
Troubleshooting
Still seeing "No token found"?
Check 1: Console Logs Open browser DevTools (F12) and look for:
🔐 OAuth callback - Token received from URL // ← Should see this!
If you DON'T see this, the redirect isn't working.
Check 2: URL After Login After Google redirects back, the URL should be:
✅ CORRECT: https://www.communityone.com/?token=eyJhbGc...
❌ WRONG: http://localhost:5173/?token=...
❌ WRONG: https://www.communityone.com/auth/callback/google?code=...
Check 3: HuggingFace Logs In HuggingFace Spaces, click "Logs" and look for:
INFO: "GET /auth/callback/google?code=... HTTP/1.1" 302 Found
Check 4: Network Tab In DevTools → Network, filter for "callback" and check the redirect:
Request: GET /auth/callback/google?code=xxx
Status: 302 Found
Location: /?token=eyJhbGc... ← Should be relative!
Google OAuth errors?
"redirect_uri_mismatch":
- Your redirect URI in Google Console doesn't match
- Make sure it's exactly:
https://www.communityone.com/auth/callback/google
"invalid_client":
- GOOGLE_CLIENT_ID or GOOGLE_CLIENT_SECRET is wrong
- Check HuggingFace Spaces → Settings → Variables and secrets
"access_denied":
- User cancelled the login
- Try again
Database errors?
"could not connect to server":
- Database isn't accessible
- Check if using SQLite (should work) or Neon (needs configuration)
"no such table: users":
- Run migration:
python scripts/migrate_social_features.py
Local Development
For local development (frontend on :5173, backend on :8000):
-
Set FRONTEND_URL in
.env:FRONTEND_URL=http://localhost:5173 -
This makes the callback redirect to:
http://localhost:5173/?token=... -
Google OAuth redirect URI:
http://localhost:8000/auth/callback/google
Summary
✅ Fixed: OAuth callback now redirects correctly on HuggingFace
✅ Works: All OAuth providers (Google, HuggingFace, Facebook, GitHub)
✅ Tested: Same-domain deployment (HuggingFace) and separate servers (local dev)
✅ No config needed: FRONTEND_URL can be empty on HuggingFace
The fix is live! Try logging in with Google at https://www.communityone.com 🚀