huggingface-hub 0.29.0rc2__py3-none-any.whl → 1.1.3__py3-none-any.whl

huggingface_hub/_login.py

@@ -19,9 +19,11 @@ from getpass import getpass
 from pathlib import Path
 from typing import Optional
 
+import typer
+
 from . import constants
-from .commands._cli_utils import ANSI
 from .utils import (
+    ANSI,
     capture_output,
     get_token,
     is_google_colab,
@@ -41,7 +43,6 @@ from .utils._auth import (
     _save_token,
     get_stored_tokens,
 )
-from .utils._deprecation import _deprecate_arguments, _deprecate_positional_args
 
 
 logger = logging.get_logger(__name__)
@@ -55,18 +56,11 @@ _HF_LOGO_ASCII = """
 """
 
 
-@_deprecate_arguments(
-    version="1.0",
-    deprecated_args="write_permission",
-    custom_message="Fine-grained tokens added complexity to the permissions, making it irrelevant to check if a token has 'write' access.",
-)
-@_deprecate_positional_args(version="1.0")
 def login(
     token: Optional[str] = None,
     *,
     add_to_git_credential: bool = False,
-    new_session: bool = True,
-    write_permission: bool = False,
+    skip_if_logged_in: bool = False,
 ) -> None:
     """Login the machine to access the Hub.
 
@@ -75,24 +69,18 @@ def login(
     components. If `token` is not provided, it will be prompted to the user either with
     a widget (in a notebook) or via the terminal.
 
-    To log in from outside of a script, one can also use `huggingface-cli login` which is
+    To log in from outside of a script, one can also use `hf auth login` which is
     a cli command that wraps [`login`].
 
-    <Tip>
-
-    [`login`] is a drop-in replacement method for [`notebook_login`] as it wraps and
-    extends its capabilities.
-
-    </Tip>
-
-    <Tip>
+    > [!TIP]
+    > [`login`] is a drop-in replacement method for [`notebook_login`] as it wraps and
+    > extends its capabilities.
 
-    When the token is not passed, [`login`] will automatically detect if the script runs
-    in a notebook or not. However, this detection might not be accurate due to the
-    variety of notebooks that exists nowadays. If that is the case, you can always force
-    the UI by using [`notebook_login`] or [`interpreter_login`].
-
-    </Tip>
+    > [!TIP]
+    > When the token is not passed, [`login`] will automatically detect if the script runs
+    > in a notebook or not. However, this detection might not be accurate due to the
+    > variety of notebooks that exists nowadays. If that is the case, you can always force
+    > the UI by using [`notebook_login`] or [`interpreter_login`].
 
     Args:
         token (`str`, *optional*):
@@ -102,10 +90,8 @@ def login(
             is configured, a warning will be displayed to the user. If `token` is `None`,
             the value of `add_to_git_credential` is ignored and will be prompted again
             to the end user.
-        new_session (`bool`, defaults to `True`):
-            If `True`, will request a token even if one is already saved on the machine.
-        write_permission (`bool`):
-            Ignored and deprecated argument.
+        skip_if_logged_in (`bool`, defaults to `False`):
+            If `True`, do not prompt for token if user is already logged in.
     Raises:
         [`ValueError`](https://docs.python.org/3/library/exceptions.html#ValueError)
             If an organization token is passed. Only personal account tokens are valid
@@ -120,14 +106,14 @@ def login(
             logger.info(
                 "The token has not been saved to the git credentials helper. Pass "
                 "`add_to_git_credential=True` in this function directly or "
-                "`--add-to-git-credential` if using via `huggingface-cli` if "
+                "`--add-to-git-credential` if using via `hf`CLI if "
                 "you want to set the git credential as well."
             )
         _login(token, add_to_git_credential=add_to_git_credential)
     elif is_notebook():
-        notebook_login(new_session=new_session)
+        notebook_login(skip_if_logged_in=skip_if_logged_in)
     else:
-        interpreter_login(new_session=new_session)
+        interpreter_login(skip_if_logged_in=skip_if_logged_in)
 
 
 def logout(token_name: Optional[str] = None) -> None:
@@ -137,7 +123,7 @@ def logout(token_name: Optional[str] = None) -> None:
 
     Args:
         token_name (`str`, *optional*):
-            Name of the access token to logout from. If `None`, will logout from all saved access tokens.
+            Name of the access token to logout from. If `None`, will log out from all saved access tokens.
     Raises:
         [`ValueError`](https://docs.python.org/3/library/exceptions.html#ValueError):
             If the access token name is not found.
@@ -233,7 +219,7 @@ def auth_list() -> None:
         )
     elif current_token_name is None:
         logger.warning(
-            "\nNote: No active token is set and no environment variable `HF_TOKEN` is found. Use `huggingface-cli login` to log in."
+            "\nNote: No active token is set and no environment variable `HF_TOKEN` is found. Use `hf auth login` to log in."
         )
 
 
@@ -242,13 +228,7 @@ def auth_list() -> None:
 ###
 
 
-@_deprecate_arguments(
-    version="1.0",
-    deprecated_args="write_permission",
-    custom_message="Fine-grained tokens added complexity to the permissions, making it irrelevant to check if a token has 'write' access.",
-)
-@_deprecate_positional_args(version="1.0")
-def interpreter_login(*, new_session: bool = True, write_permission: bool = False) -> None:
+def interpreter_login(*, skip_if_logged_in: bool = False) -> None:
     """
     Displays a prompt to log in to the HF website and store the token.
 
@@ -259,22 +239,18 @@ def interpreter_login(*, new_session: bool = True, write_permission: bool = Fals
     For more details, see [`login`].
 
     Args:
-        new_session (`bool`, defaults to `True`):
-            If `True`, will request a token even if one is already saved on the machine.
-        write_permission (`bool`):
-            Ignored and deprecated argument.
+        skip_if_logged_in (`bool`, defaults to `False`):
+            If `True`, do not prompt for token if user is already logged in.
     """
-    if not new_session and get_token() is not None:
+    if not skip_if_logged_in and get_token() is not None:
         logger.info("User is already logged in.")
         return
 
-    from .commands.delete_cache import _ask_for_confirmation_no_tui
-
     print(_HF_LOGO_ASCII)
     if get_token() is not None:
         logger.info(
-            "    A token is already saved on your machine. Run `huggingface-cli"
-            " whoami` to get more information or `huggingface-cli logout` if you want"
+            "    A token is already saved on your machine. Run `hf auth whoami`"
+            " to get more information or `hf auth logout` if you want"
             " to log out."
         )
         logger.info("    Setting a new token will erase the existing one.")
@@ -285,7 +261,7 @@ def interpreter_login(*, new_session: bool = True, write_permission: bool = Fals
     if os.name == "nt":
         logger.info("Token can be pasted using 'Right-Click'.")
     token = getpass("Enter your token (input will not be visible): ")
-    add_to_git_credential = _ask_for_confirmation_no_tui("Add token as git credential?")
+    add_to_git_credential = typer.confirm("Add token as git credential?")
 
     _login(token=token, add_to_git_credential=add_to_git_credential)
 
@@ -314,13 +290,7 @@ NOTEBOOK_LOGIN_TOKEN_HTML_END = """
 notebooks. </center>"""
 
 
-@_deprecate_arguments(
-    version="1.0",
-    deprecated_args="write_permission",
-    custom_message="Fine-grained tokens added complexity to the permissions, making it irrelevant to check if a token has 'write' access.",
-)
-@_deprecate_positional_args(version="1.0")
-def notebook_login(*, new_session: bool = True, write_permission: bool = False) -> None:
+def notebook_login(*, skip_if_logged_in: bool = False) -> None:
     """
     Displays a widget to log in to the HF website and store the token.
 
@@ -331,10 +301,8 @@ def notebook_login(*, new_session: bool = True, write_permission: bool = False)
     For more details, see [`login`].
 
     Args:
-        new_session (`bool`, defaults to `True`):
-            If `True`, will request a token even if one is already saved on the machine.
-        write_permission (`bool`):
-            Ignored and deprecated argument.
+        skip_if_logged_in (`bool`, defaults to `False`):
+            If `True`, do not prompt for token if user is already logged in.
     """
     try:
         import ipywidgets.widgets as widgets  # type: ignore
@@ -344,7 +312,7 @@ def notebook_login(*, new_session: bool = True, write_permission: bool = False)
             "The `notebook_login` function can only be used in a notebook (Jupyter or"
             " Colab) and you need the `ipywidgets` module: `pip install ipywidgets`."
         )
-    if not new_session and get_token() is not None:
+    if not skip_if_logged_in and get_token() is not None:
         logger.info("User is already logged in.")
         return
 

huggingface_hub/_oauth.py

@@ -0,0 +1,460 @@
+import datetime
+import hashlib
+import logging
+import os
+import time
+import urllib.parse
+import warnings
+from dataclasses import dataclass
+from typing import TYPE_CHECKING, Literal, Optional, Union
+
+from . import constants
+from .hf_api import whoami
+from .utils import experimental, get_token
+
+
+logger = logging.getLogger(__name__)
+
+if TYPE_CHECKING:
+    import fastapi
+
+
+@dataclass
+class OAuthOrgInfo:
+    """
+    Information about an organization linked to a user logged in with OAuth.
+
+    Attributes:
+        sub (`str`):
+            Unique identifier for the org. OpenID Connect field.
+        name (`str`):
+            The org's full name. OpenID Connect field.
+        preferred_username (`str`):
+            The org's username. OpenID Connect field.
+        picture (`str`):
+            The org's profile picture URL. OpenID Connect field.
+        is_enterprise (`bool`):
+            Whether the org is an enterprise org. Hugging Face field.
+        can_pay (`Optional[bool]`, *optional*):
+            Whether the org has a payment method set up. Hugging Face field.
+        role_in_org (`Optional[str]`, *optional*):
+            The user's role in the org. Hugging Face field.
+        security_restrictions (`Optional[list[Literal["ip", "token-policy", "mfa", "sso"]]]`, *optional*):
+            Array of security restrictions that the user hasn't completed for this org. Possible values: "ip", "token-policy", "mfa", "sso". Hugging Face field.
+    """
+
+    sub: str
+    name: str
+    preferred_username: str
+    picture: str
+    is_enterprise: bool
+    can_pay: Optional[bool] = None
+    role_in_org: Optional[str] = None
+    security_restrictions: Optional[list[Literal["ip", "token-policy", "mfa", "sso"]]] = None
+
+
+@dataclass
+class OAuthUserInfo:
+    """
+    Information about a user logged in with OAuth.
+
+    Attributes:
+        sub (`str`):
+            Unique identifier for the user, even in case of rename. OpenID Connect field.
+        name (`str`):
+            The user's full name. OpenID Connect field.
+        preferred_username (`str`):
+            The user's username. OpenID Connect field.
+        email_verified (`Optional[bool]`, *optional*):
+            Indicates if the user's email is verified. OpenID Connect field.
+        email (`Optional[str]`, *optional*):
+            The user's email address. OpenID Connect field.
+        picture (`str`):
+            The user's profile picture URL. OpenID Connect field.
+        profile (`str`):
+            The user's profile URL. OpenID Connect field.
+        website (`Optional[str]`, *optional*):
+            The user's website URL. OpenID Connect field.
+        is_pro (`bool`):
+            Whether the user is a pro user. Hugging Face field.
+        can_pay (`Optional[bool]`, *optional*):
+            Whether the user has a payment method set up. Hugging Face field.
+        orgs (`Optional[list[OrgInfo]]`, *optional*):
+            List of organizations the user is part of. Hugging Face field.
+    """
+
+    sub: str
+    name: str
+    preferred_username: str
+    email_verified: Optional[bool]
+    email: Optional[str]
+    picture: str
+    profile: str
+    website: Optional[str]
+    is_pro: bool
+    can_pay: Optional[bool]
+    orgs: Optional[list[OAuthOrgInfo]]
+
+
+@dataclass
+class OAuthInfo:
+    """
+    Information about the OAuth login.
+
+    Attributes:
+        access_token (`str`):
+            The access token.
+        access_token_expires_at (`datetime.datetime`):
+            The expiration date of the access token.
+        user_info ([`OAuthUserInfo`]):
+            The user information.
+        state (`str`, *optional*):
+            State passed to the OAuth provider in the original request to the OAuth provider.
+        scope (`str`):
+            Granted scope.
+    """
+
+    access_token: str
+    access_token_expires_at: datetime.datetime
+    user_info: OAuthUserInfo
+    state: Optional[str]
+    scope: str
+
+
+@experimental
+def attach_huggingface_oauth(app: "fastapi.FastAPI", route_prefix: str = "/"):
+    """
+    Add OAuth endpoints to a FastAPI app to enable OAuth login with Hugging Face.
+
+    How to use:
+    - Call this method on your FastAPI app to add the OAuth endpoints.
+    - Inside your route handlers, call `parse_huggingface_oauth(request)` to retrieve the OAuth info.
+    - If user is logged in, an [`OAuthInfo`] object is returned with the user's info. If not, `None` is returned.
+    - In your app, make sure to add links to `/oauth/huggingface/login` and `/oauth/huggingface/logout` for the user to log in and out.
+
+    Example:
+    ```py
+    from huggingface_hub import attach_huggingface_oauth, parse_huggingface_oauth
+
+    # Create a FastAPI app
+    app = FastAPI()
+
+    # Add OAuth endpoints to the FastAPI app
+    attach_huggingface_oauth(app)
+
+    # Add a route that greets the user if they are logged in
+    @app.get("/")
+    def greet_json(request: Request):
+        # Retrieve the OAuth info from the request
+        oauth_info = parse_huggingface_oauth(request)  # e.g. OAuthInfo dataclass
+        if oauth_info is None:
+            return {"msg": "Not logged in!"}
+        return {"msg": f"Hello, {oauth_info.user_info.preferred_username}!"}
+    ```
+    """
+    # TODO: handle generic case (handling OAuth in a non-Space environment with custom dev values) (low priority)
+
+    # Add SessionMiddleware to the FastAPI app to store the OAuth info in the session.
+    # Session Middleware requires a secret key to sign the cookies. Let's use a hash
+    # of the OAuth secret key to make it unique to the Space + updated in case OAuth
+    # config gets updated. When ran locally, we use an empty string as a secret key.
+    try:
+        from starlette.middleware.sessions import SessionMiddleware
+    except ImportError as e:
+        raise ImportError(
+            "Cannot initialize OAuth to due a missing library. Please run `pip install huggingface_hub[oauth]` or add "
+            "`huggingface_hub[oauth]` to your requirements.txt file in order to install the required dependencies."
+        ) from e
+    session_secret = (constants.OAUTH_CLIENT_SECRET or "") + "-v1"
+    app.add_middleware(
+        SessionMiddleware,  # type: ignore[arg-type]
+        secret_key=hashlib.sha256(session_secret.encode()).hexdigest(),
+        same_site="none",
+        https_only=True,
+    )  # type: ignore
+
+    # Add OAuth endpoints to the FastAPI app:
+    #   - {route_prefix}/oauth/huggingface/login
+    #   - {route_prefix}/oauth/huggingface/callback
+    #   - {route_prefix}/oauth/huggingface/logout
+    # If the app is running in a Space, OAuth is enabled normally.
+    # Otherwise, we mock the endpoints to make the user log in with a fake user profile - without any calls to hf.co.
+    route_prefix = route_prefix.strip("/")
+    if os.getenv("SPACE_ID") is not None:
+        logger.info("OAuth is enabled in the Space. Adding OAuth routes.")
+        _add_oauth_routes(app, route_prefix=route_prefix)
+    else:
+        logger.info("App is not running in a Space. Adding mocked OAuth routes.")
+        _add_mocked_oauth_routes(app, route_prefix=route_prefix)
+
+
+def parse_huggingface_oauth(request: "fastapi.Request") -> Optional[OAuthInfo]:
+    """
+    Returns the information from a logged-in user as a [`OAuthInfo`] object.
+
+    For flexibility and future-proofing, this method is very lax in its parsing and does not raise errors.
+    Missing fields are set to `None` without a warning.
+
+    Return `None`, if the user is not logged in (no info in session cookie).
+
+    See [`attach_huggingface_oauth`] for an example on how to use this method.
+    """
+    if "oauth_info" not in request.session:
+        logger.debug("No OAuth info in session.")
+        return None
+
+    logger.debug("Parsing OAuth info from session.")
+    oauth_data = request.session["oauth_info"]
+    user_data = oauth_data.get("userinfo", {})
+    orgs_data = user_data.get("orgs", [])
+
+    orgs = (
+        [
+            OAuthOrgInfo(
+                sub=org.get("sub"),
+                name=org.get("name"),
+                preferred_username=org.get("preferred_username"),
+                picture=org.get("picture"),
+                is_enterprise=org.get("isEnterprise"),
+                can_pay=org.get("canPay"),
+                role_in_org=org.get("roleInOrg"),
+                security_restrictions=org.get("securityRestrictions"),
+            )
+            for org in orgs_data
+        ]
+        if orgs_data
+        else None
+    )
+
+    user_info = OAuthUserInfo(
+        sub=user_data.get("sub"),
+        name=user_data.get("name"),
+        preferred_username=user_data.get("preferred_username"),
+        email_verified=user_data.get("email_verified"),
+        email=user_data.get("email"),
+        picture=user_data.get("picture"),
+        profile=user_data.get("profile"),
+        website=user_data.get("website"),
+        is_pro=user_data.get("isPro"),
+        can_pay=user_data.get("canPay"),
+        orgs=orgs,
+    )
+
+    return OAuthInfo(
+        access_token=oauth_data.get("access_token"),
+        access_token_expires_at=datetime.datetime.fromtimestamp(oauth_data.get("expires_at")),
+        user_info=user_info,
+        state=oauth_data.get("state"),
+        scope=oauth_data.get("scope"),
+    )
+
+
+def _add_oauth_routes(app: "fastapi.FastAPI", route_prefix: str) -> None:
+    """Add OAuth routes to the FastAPI app (login, callback handler and logout)."""
+    try:
+        import fastapi
+        from authlib.integrations.base_client.errors import MismatchingStateError
+        from authlib.integrations.starlette_client import OAuth
+        from fastapi.responses import RedirectResponse
+    except ImportError as e:
+        raise ImportError(
+            "Cannot initialize OAuth to due a missing library. Please run `pip install huggingface_hub[oauth]` or add "
+            "`huggingface_hub[oauth]` to your requirements.txt file."
+        ) from e
+
+    # Check environment variables
+    msg = (
+        "OAuth is required but '{}' environment variable is not set. Make sure you've enabled OAuth in your Space by"
+        " setting `hf_oauth: true` in the Space metadata."
+    )
+    if constants.OAUTH_CLIENT_ID is None:
+        raise ValueError(msg.format("OAUTH_CLIENT_ID"))
+    if constants.OAUTH_CLIENT_SECRET is None:
+        raise ValueError(msg.format("OAUTH_CLIENT_SECRET"))
+    if constants.OAUTH_SCOPES is None:
+        raise ValueError(msg.format("OAUTH_SCOPES"))
+    if constants.OPENID_PROVIDER_URL is None:
+        raise ValueError(msg.format("OPENID_PROVIDER_URL"))
+
+    # Register OAuth server
+    oauth = OAuth()
+    oauth.register(
+        name="huggingface",
+        client_id=constants.OAUTH_CLIENT_ID,
+        client_secret=constants.OAUTH_CLIENT_SECRET,
+        client_kwargs={"scope": constants.OAUTH_SCOPES},
+        server_metadata_url=constants.OPENID_PROVIDER_URL + "/.well-known/openid-configuration",
+    )
+
+    login_uri, callback_uri, logout_uri = _get_oauth_uris(route_prefix)
+
+    # Register OAuth endpoints
+    @app.get(login_uri)
+    async def oauth_login(request: fastapi.Request) -> RedirectResponse:
+        """Endpoint that redirects to HF OAuth page."""
+        redirect_uri = _generate_redirect_uri(request)
+        return await oauth.huggingface.authorize_redirect(request, redirect_uri)  # type: ignore
+
+    @app.get(callback_uri)
+    async def oauth_redirect_callback(request: fastapi.Request) -> RedirectResponse:
+        """Endpoint that handles the OAuth callback."""
+        try:
+            oauth_info = await oauth.huggingface.authorize_access_token(request)  # type: ignore
+        except MismatchingStateError:
+            # Parse query params
+            nb_redirects = int(request.query_params.get("_nb_redirects", 0))
+            target_url = request.query_params.get("_target_url")
+
+            # Build redirect URI with the same query params as before and bump nb_redirects count
+            query_params: dict[str, Union[int, str]] = {"_nb_redirects": nb_redirects + 1}
+            if target_url:
+                query_params["_target_url"] = target_url
+
+            redirect_uri = f"{login_uri}?{urllib.parse.urlencode(query_params)}"
+
+            # If the user is redirected more than 3 times, it is very likely that the cookie is not working properly.
+            # (e.g. browser is blocking third-party cookies in iframe). In this case, redirect the user in the
+            # non-iframe view.
+            if nb_redirects > constants.OAUTH_MAX_REDIRECTS:
+                host = os.environ.get("SPACE_HOST")
+                if host is None:  # cannot happen in a Space
+                    raise RuntimeError(
+                        "App is not running in a Space (SPACE_HOST environment variable is not set). Cannot redirect to non-iframe view."
+                    ) from None
+                host_url = "https://" + host.rstrip("/")
+                return RedirectResponse(host_url + redirect_uri)
+
+            # Redirect the user to the login page again
+            return RedirectResponse(redirect_uri)
+
+        # OAuth login worked => store the user info in the session and redirect
+        logger.debug("Successfully logged in with OAuth. Storing user info in session.")
+        request.session["oauth_info"] = oauth_info
+        return RedirectResponse(_get_redirect_target(request))
+
+    @app.get(logout_uri)
+    async def oauth_logout(request: fastapi.Request) -> RedirectResponse:
+        """Endpoint that logs out the user (e.g. delete info from cookie session)."""
+        logger.debug("Logged out with OAuth. Removing user info from session.")
+        request.session.pop("oauth_info", None)
+        return RedirectResponse(_get_redirect_target(request))
+
+
+def _add_mocked_oauth_routes(app: "fastapi.FastAPI", route_prefix: str = "/") -> None:
+    """Add fake oauth routes if app is run locally and OAuth is enabled.
+
+    Using OAuth will have the same behavior as in a Space but instead of authenticating with HF, a mocked user profile
+    is added to the session.
+    """
+    try:
+        import fastapi
+        from fastapi.responses import RedirectResponse
+        from starlette.datastructures import URL
+    except ImportError as e:
+        raise ImportError(
+            "Cannot initialize OAuth to due a missing library. Please run `pip install huggingface_hub[oauth]` or add "
+            "`huggingface_hub[oauth]` to your requirements.txt file."
+        ) from e
+
+    warnings.warn(
+        "OAuth is not supported outside of a Space environment. To help you debug your app locally, the oauth endpoints"
+        " are mocked to return your profile and token. To make it work, your machine must be logged in to Huggingface."
+    )
+    mocked_oauth_info = _get_mocked_oauth_info()
+
+    login_uri, callback_uri, logout_uri = _get_oauth_uris(route_prefix)
+
+    # Define OAuth routes
+    @app.get(login_uri)
+    async def oauth_login(request: fastapi.Request) -> RedirectResponse:
+        """Fake endpoint that redirects to HF OAuth page."""
+        # Define target (where to redirect after login)
+        redirect_uri = _generate_redirect_uri(request)
+        return RedirectResponse(callback_uri + "?" + urllib.parse.urlencode({"_target_url": redirect_uri}))
+
+    @app.get(callback_uri)
+    async def oauth_redirect_callback(request: fastapi.Request) -> RedirectResponse:
+        """Endpoint that handles the OAuth callback."""
+        request.session["oauth_info"] = mocked_oauth_info
+        return RedirectResponse(_get_redirect_target(request))
+
+    @app.get(logout_uri)
+    async def oauth_logout(request: fastapi.Request) -> RedirectResponse:
+        """Endpoint that logs out the user (e.g. delete cookie session)."""
+        request.session.pop("oauth_info", None)
+        logout_url = URL("/").include_query_params(**request.query_params)
+        return RedirectResponse(url=logout_url, status_code=302)  # see https://github.com/gradio-app/gradio/pull/9659
+
+
+def _generate_redirect_uri(request: "fastapi.Request") -> str:
+    if "_target_url" in request.query_params:
+        # if `_target_url` already in query params => respect it
+        target = request.query_params["_target_url"]
+    else:
+        # otherwise => keep query params
+        target = "/?" + urllib.parse.urlencode(request.query_params)
+
+    redirect_uri = request.url_for("oauth_redirect_callback").include_query_params(_target_url=target)
+    redirect_uri_as_str = str(redirect_uri)
+    if redirect_uri.netloc.endswith(".hf.space"):
+        # In Space, FastAPI redirect as http but we want https
+        redirect_uri_as_str = redirect_uri_as_str.replace("http://", "https://")
+    return redirect_uri_as_str
+
+
+def _get_redirect_target(request: "fastapi.Request", default_target: str = "/") -> str:
+    return request.query_params.get("_target_url", default_target)
+
+
+def _get_mocked_oauth_info() -> dict:
+    token = get_token()
+    if token is None:
+        raise ValueError(
+            "Your machine must be logged in to HF to debug an OAuth app locally. Please"
+            " run `hf auth login` or set `HF_TOKEN` as environment variable "
+            "with one of your access token. You can generate a new token in your "
+            "settings page (https://huggingface.co/settings/tokens)."
+        )
+
+    user = whoami()
+    if user["type"] != "user":
+        raise ValueError(
+            "Your machine is not logged in with a personal account. Please use a "
+            "personal access token. You can generate a new token in your settings page"
+            " (https://huggingface.co/settings/tokens)."
+        )
+
+    return {
+        "access_token": token,
+        "token_type": "bearer",
+        "expires_in": 8 * 60 * 60,  # 8 hours
+        "id_token": "FOOBAR",
+        "scope": "openid profile",
+        "refresh_token": "hf_oauth__refresh_token",
+        "expires_at": int(time.time()) + 8 * 60 * 60,  # 8 hours
+        "userinfo": {
+            "sub": "0123456789",
+            "name": user["fullname"],
+            "preferred_username": user["name"],
+            "profile": f"https://huggingface.co/{user['name']}",
+            "picture": user["avatarUrl"],
+            "website": "",
+            "aud": "00000000-0000-0000-0000-000000000000",
+            "auth_time": 1691672844,
+            "nonce": "aaaaaaaaaaaaaaaaaaa",
+            "iat": 1691672844,
+            "exp": 1691676444,
+            "iss": "https://huggingface.co",
+        },
+    }
+
+
+def _get_oauth_uris(route_prefix: str = "/") -> tuple[str, str, str]:
+    route_prefix = route_prefix.strip("/")
+    if route_prefix:
+        route_prefix = f"/{route_prefix}"
+    return (
+        f"{route_prefix}/oauth/huggingface/login",
+        f"{route_prefix}/oauth/huggingface/callback",
+        f"{route_prefix}/oauth/huggingface/logout",
+    )