feat(auth): add Hugging Face OAuth access control

- [docs] Add documentation for Hugging Face OAuth configuration and allowed organizations (README.md:6,44-45,240-244)
- [feat] Add Gradio LoginButton and import Gradio (app.py:5,27-28)
- [feat] Integrate OAuth token handling and organization access checks into chat submission and retry functions (chat_handler.py:5,17-18,170,175-182,199,204-211)
- [feat] Integrate OAuth token handling and organization access checks into image generation functions (image_handler.py:5,18-19,279,284-288,309,314-318)
- [feat] Integrate OAuth token handling and organization access checks into text-to-speech generation (tts_handler.py:5,19-20,156,161-165)
- [feat] Add utility functions for parsing allowed organizations, fetching Hugging Face identity, checking organization access, and formatting access denied messages (utils.py:6,231-237,241-257,260-276,279-281)

README.md

@@ -6,6 +6,7 @@ colorTo: blue
 sdk: gradio
 app_file: app.py
 pinned: false
+hf_oauth: true
 ---
 
 # 🚀 HF-Inferoxy AI Hub
@@ -44,6 +45,9 @@ Add the following secrets to your HuggingFace Space:
 - **Key**: `PROXY_URL`
 - **Value**: Your HF-Inferoxy proxy server URL (e.g., `https://hf-proxy.example.com`)
 
+- **Key**: `ALLOWED_ORGS`
+- **Value**: Comma- or space-separated list of org names allowed to use this Space (e.g., `acme, acme-research`)
+
 ### 2. HF-Inferoxy Server
 
 The app will use the HF-Inferoxy server URL specified in the `PROXY_URL` secret.
@@ -240,6 +244,11 @@ Prompt: "Help me debug this Python code: [paste code]"
 
 ## 🔒 Security & Authentication
 
+### Hugging Face OAuth (no inference scope)
+- Login is required. The app uses Hugging Face OAuth and automatically injects an access token.
+- We do not request the `inference-api` scope; the token is used only to call `whoami-v2` to verify org membership.
+- Inference calls continue to use tokens provisioned by your HF-Inferoxy proxy.
+
 ### RBAC System
 - All operations require authentication with the HF-Inferoxy proxy server
 - API keys are managed securely through HuggingFace Space secrets

app.py

@@ -23,6 +23,9 @@ def create_app():
     
     # Create the main Gradio interface with tabs
     with gr.Blocks(title="HF-Inferoxy AI Hub", theme=get_gradio_theme()) as demo:
+        # Sidebar with HF OAuth login/logout
+        with gr.Sidebar():
+            gr.LoginButton()
         
         # Main header
         create_main_header()

chat_handler.py

@@ -4,6 +4,7 @@ Handles chat completion requests with streaming responses.
 """
 
 import os
+import gradio as gr
 import time
 import threading
 from concurrent.futures import ThreadPoolExecutor, TimeoutError as FutureTimeoutError
@@ -14,7 +15,9 @@ from hf_token_utils import get_proxy_token, report_token_status
 from utils import (
     validate_proxy_key, 
     parse_model_and_provider, 
-    format_error_message
+    format_error_message,
+    check_org_access,
+    format_access_denied_message
 )
 
 # Timeout configuration for inference requests
@@ -164,7 +167,7 @@ def chat_respond(
         yield format_error_message("Unexpected Error", f"An unexpected error occurred: {error_msg}")
 
 
-def handle_chat_submit(message, history, system_msg, model_name, max_tokens, temperature, top_p):
+def handle_chat_submit(message, history, system_msg, model_name, max_tokens, temperature, top_p, hf_token: gr.OAuthToken = None):
     """
     Handle chat submission and manage conversation history with streaming.
     """
@@ -172,6 +175,16 @@ def handle_chat_submit(message, history, system_msg, model_name, max_tokens, tem
         yield history, ""
         return
     
+    # Enforce org-based access control via HF OAuth token
+    access_token = getattr(hf_token, "token", None) if hf_token is not None else None
+    is_allowed, access_msg, _username, _matched = check_org_access(access_token)
+    if not is_allowed:
+        # Show access denied as assistant message
+        assistant_response = format_access_denied_message(access_msg)
+        current_history = history + [{"role": "assistant", "content": assistant_response}]
+        yield current_history, ""
+        return
+    
     # Add user message to history
     history = history + [{"role": "user", "content": message}]
     
@@ -195,11 +208,20 @@ def handle_chat_submit(message, history, system_msg, model_name, max_tokens, tem
         yield current_history, ""
 
 
-def handle_chat_retry(history, system_msg, model_name, max_tokens, temperature, top_p, retry_data=None):
+def handle_chat_retry(history, system_msg, model_name, max_tokens, temperature, top_p, hf_token: gr.OAuthToken = None, retry_data=None):
     """
     Retry the assistant response for the selected message.
     Works with gr.Chatbot.retry() which provides retry_data.index for the message.
     """
+    # Enforce org-based access control via HF OAuth token
+    access_token = getattr(hf_token, "token", None) if hf_token is not None else None
+    is_allowed, access_msg, _username, _matched = check_org_access(access_token)
+    if not is_allowed:
+        # Show access denied as assistant message
+        assistant_response = format_access_denied_message(access_msg)
+        current_history = (history or []) + [{"role": "assistant", "content": assistant_response}]
+        yield current_history
+        return
     # Guard: empty history
     if not history:
         yield history

image_handler.py

@@ -4,6 +4,7 @@ Handles text-to-image generation with multiple providers.
 """
 
 import os
+import gradio as gr
 import time
 import threading
 from concurrent.futures import ThreadPoolExecutor, TimeoutError as FutureTimeoutError
@@ -15,7 +16,9 @@ from utils import (
     IMAGE_CONFIG, 
     validate_proxy_key, 
     format_error_message, 
-    format_success_message
+    format_success_message,
+    check_org_access,
+    format_access_denied_message
 )
 
 # Timeout configuration for image generation
@@ -276,7 +279,7 @@ def generate_image_to_image(
         return None, format_error_message("Unexpected Error", f"An unexpected error occurred: {error_msg}")
 
 
-def handle_image_to_image_generation(input_image_val, prompt_val, model_val, provider_val, negative_prompt_val, steps_val, guidance_val, seed_val):
+def handle_image_to_image_generation(input_image_val, prompt_val, model_val, provider_val, negative_prompt_val, steps_val, guidance_val, seed_val, hf_token: gr.OAuthToken = None):
     """
     Handle image-to-image generation request with validation.
     """
@@ -284,6 +287,12 @@ def handle_image_to_image_generation(input_image_val, prompt_val, model_val, pro
     if input_image_val is None:
         return None, format_error_message("Validation Error", "Please upload an input image")
     
+    # Enforce org-based access control via HF OAuth token
+    access_token = getattr(hf_token, "token", None) if hf_token is not None else None
+    is_allowed, access_msg, _username, _matched = check_org_access(access_token)
+    if not is_allowed:
+        return None, format_access_denied_message(access_msg)
+    
     # Generate image-to-image
     return generate_image_to_image(
         input_image=input_image_val,
@@ -297,7 +306,7 @@ def handle_image_to_image_generation(input_image_val, prompt_val, model_val, pro
     )
 
 
-def handle_image_generation(prompt_val, model_val, provider_val, negative_prompt_val, width_val, height_val, steps_val, guidance_val, seed_val):
+def handle_image_generation(prompt_val, model_val, provider_val, negative_prompt_val, width_val, height_val, steps_val, guidance_val, seed_val, hf_token: gr.OAuthToken = None):
     """
     Handle image generation request with validation.
     """
@@ -306,6 +315,12 @@ def handle_image_generation(prompt_val, model_val, provider_val, negative_prompt
     if not is_valid:
         return None, format_error_message("Validation Error", error_msg)
     
+    # Enforce org-based access control via HF OAuth token
+    access_token = getattr(hf_token, "token", None) if hf_token is not None else None
+    is_allowed, access_msg, _username, _matched = check_org_access(access_token)
+    if not is_allowed:
+        return None, format_access_denied_message(access_msg)
+    
     # Generate image
     return generate_image(
         prompt=prompt_val,

tts_handler.py

@@ -4,6 +4,7 @@ Handles text-to-speech generation with multiple providers.
 """
 
 import os
+import gradio as gr
 import time
 import threading
 from concurrent.futures import ThreadPoolExecutor, TimeoutError as FutureTimeoutError
@@ -16,7 +17,9 @@ from utils import (
     validate_proxy_key, 
     format_error_message, 
     format_success_message,
-    TTS_MODEL_CONFIGS
+    TTS_MODEL_CONFIGS,
+    check_org_access,
+    format_access_denied_message
 )
 
 # Timeout configuration for TTS generation
@@ -153,7 +156,7 @@ def generate_text_to_speech(
         return None, format_error_message("Unexpected Error", f"An unexpected error occurred: {error_msg}")
 
 
-def handle_text_to_speech_generation(text_val, model_val, provider_val, voice_val, speed_val, audio_url_val, exaggeration_val, temperature_val, cfg_val):
+def handle_text_to_speech_generation(text_val, model_val, provider_val, voice_val, speed_val, audio_url_val, exaggeration_val, temperature_val, cfg_val, hf_token: gr.OAuthToken = None):
     """
     Handle text-to-speech generation request with validation.
     """
@@ -165,6 +168,12 @@ def handle_text_to_speech_generation(text_val, model_val, provider_val, voice_va
     if len(text_val) > 5000:
         return None, format_error_message("Validation Error", "Text is too long. Please keep it under 5000 characters.")
     
+    # Enforce org-based access control via HF OAuth token
+    access_token = getattr(hf_token, "token", None) if hf_token is not None else None
+    is_allowed, access_msg, _username, _matched = check_org_access(access_token)
+    if not is_allowed:
+        return None, format_access_denied_message(access_msg)
+    
     # Generate speech
     return generate_text_to_speech(
         text=text_val.strip(),

utils.py

@@ -4,6 +4,7 @@ Contains configuration constants and helper functions.
 """
 
 import os
+import requests
 
 
 # Configuration constants
@@ -226,3 +227,66 @@ def get_gradio_theme():
         return gr.themes.Soft()
     except ImportError:
         return None
+
+
+# -----------------------------
+# OAuth / Org Access Utilities
+# -----------------------------
+
+def _parse_allowed_orgs() -> list[str]:
+    """Parse comma/space separated ALLOWED_ORGS env var into a list of lowercase names."""
+    raw = os.getenv("ALLOWED_ORGS", "").strip()
+    if not raw:
+        return []
+    # support comma or whitespace separated
+    parts = [p.strip().lower() for p in raw.replace("\n", ",").replace(" ", ",").split(",") if p.strip()]
+    return list(dict.fromkeys(parts))  # dedupe while preserving order
+
+
+def fetch_hf_identity(access_token: str) -> tuple[bool, dict | None, str]:
+    """
+    Call whoami-v2 to get user identity and orgs.
+    Returns (success, data, error_message).
+    """
+    if not access_token:
+        return False, None, "Missing access token"
+    try:
+        resp = requests.get(
+            "https://huggingface.co/api/whoami-v2",
+            headers={"Authorization": f"Bearer {access_token}", "Content-Type": "application/json"},
+            timeout=15,
+        )
+        if resp.status_code != 200:
+            return False, None, f"HF whoami-v2 HTTP {resp.status_code}"
+        return True, resp.json(), ""
+    except requests.exceptions.RequestException as e:
+        return False, None, f"HF whoami-v2 error: {str(e)}"
+
+
+def check_org_access(access_token: str) -> tuple[bool, str, str | None, list[str]]:
+    """
+    Validate that the logged-in user belongs to any of ALLOWED_ORGS.
+    Returns (is_allowed, message, username, matched_orgs).
+    """
+    allowed_orgs = _parse_allowed_orgs()
+    if not access_token:
+        return False, "🔒 Please log in with Hugging Face to continue.", None, []
+    if not allowed_orgs:
+        return False, "❌ Access denied: ALLOWED_ORGS is not configured in Space secrets.", None, []
+
+    ok, data, err = fetch_hf_identity(access_token)
+    if not ok or not data:
+        return False, f"❌ Failed to verify identity: {err}", None, []
+
+    username = data.get("name") or data.get("fullname") or data.get("id")
+    org_objs = data.get("orgs", []) or []
+    user_org_names = [str(org.get("name", "")).lower() for org in org_objs if org.get("name")]
+    matched = sorted(list(set(user_org_names).intersection(set(allowed_orgs))))
+    if matched:
+        return True, f"✅ Access granted for @{username} in org(s): {', '.join(matched)}", username, matched
+    return False, f"🚫 Access denied for @{username}. Required org(s): {', '.join(allowed_orgs)}", username, []
+
+
+def format_access_denied_message(message: str) -> str:
+    """Return a standardized access denied message for UI display."""
+    return format_error_message("Access Denied", message)