Add authentication

app.py

@@ -1,6 +1,12 @@
+import urllib.parse
+
 import streamlit as st
 
+from core.constants import OAUTH_CLIENT_ID
+from core.constants import OAUTH_STATE
+from core.constants import REDIRECT_URI
 from core.state import CurrentStep
+from core.state import User
 from utils import init_state
 from views.splash import render_splash
 from views.wizard import render_editor
@@ -8,14 +14,34 @@ from views.wizard import render_editor
 init_state()
 
 
+st.set_page_config(page_title="Croissant Editor", page_icon="🥐", layout="wide")
+col1, col2 = st.columns([10, 1])
+col1.header("Croissant Editor")
+
+if OAUTH_CLIENT_ID and not st.session_state.get(User):
+    query_params = st.experimental_get_query_params()
+    state = query_params.get("state")
+    if state and state[0] == OAUTH_STATE:
+        code = query_params.get("code")
+        if not code:
+            st.stop()
+        st.session_state[User] = User.connect(code)
+        st.experimental_set_query_params()
+    else:
+        redirect_uri = urllib.parse.quote(REDIRECT_URI, safe="")
+        client_id = urllib.parse.quote(OAUTH_CLIENT_ID, safe="")
+        state = urllib.parse.quote(OAUTH_STATE, safe="")
+        scope = urllib.parse.quote("openid profile", safe="")
+        url = f"https://huggingface.co/oauth/authorize?response_type=code&redirect_uri={redirect_uri}&scope={scope}&client_id={client_id}&state={state}"
+        st.link_button("🤗 Login with Hugging Face", url)
+        st.stop()
+
+
 def _back_to_menu():
     """Sends the user back to the menu."""
     init_state(force=True)
 
 
-st.set_page_config(page_title="Croissant Editor", page_icon="🥐", layout="wide")
-col1, col2 = st.columns([10, 1])
-col1.header("Croissant Editor")
 if st.session_state[CurrentStep] != CurrentStep.splash:
     col2.write("\n")  # Vertical box to shift the button menu
     col2.button("Menu", on_click=_back_to_menu)

core/constants.py

@@ -1,10 +1,30 @@
+import os
+
 from etils import epath
 
 import mlcroissant as mlc
 
+# Authentication to Hugging Face:
+REDIRECT_URI = os.getenv("REDIRECT_URI", "http://localhost:8501")
+OAUTH_STATE = os.getenv("OAUTH_STATE")
+OAUTH_CLIENT_ID = os.getenv("OAUTH_CLIENT_ID")
+OAUTH_CLIENT_SECRET = os.getenv("OAUTH_CLIENT_SECRET")
+
 EDITOR_CACHE: epath.Path = mlc.constants.CROISSANT_CACHE / "editor"
-PAST_PROJECTS_PATH: epath.Path = EDITOR_CACHE / "projects"
-PROJECT_FOLDER_PATTERN = "%Y%m%d%H%M%S%f"
 
 
+def PAST_PROJECTS_PATH(user) -> epath.Path:
+    base = EDITOR_CACHE / "projects"
+    # If there is authentication, look up in the user's path:
+    if OAUTH_CLIENT_ID:
+        if user is None:
+            raise Exception("Please, authenticate before using the application.")
+        return base / user.username
+    # Else look up at the root:
+    else:
+        return base
+
+
+PROJECT_FOLDER_PATTERN = "%Y%m%d%H%M%S%f"
+
 DF_HEIGHT = 150

core/past_projects.py

@@ -7,11 +7,14 @@ import streamlit as st
 from core.constants import PAST_PROJECTS_PATH
 from core.state import CurrentProject
 from core.state import Metadata
+from core.state import User
 
 
 def load_past_projects_paths() -> list[epath.Path]:
-    PAST_PROJECTS_PATH.mkdir(parents=True, exist_ok=True)
-    return sorted(list(PAST_PROJECTS_PATH.iterdir()), reverse=True)
+    user = st.session_state.get(User)
+    past_projects_path = PAST_PROJECTS_PATH(user)
+    past_projects_path.mkdir(parents=True, exist_ok=True)
+    return sorted(list(past_projects_path.iterdir()), reverse=True)
 
 
 def _pickle_file(path: epath.Path) -> epath.Path:

core/state.py

@@ -5,15 +5,22 @@ In the future, this could be the serialization format between front and back.
 
 from __future__ import annotations
 
+import base64
 import dataclasses
 import datetime
+import hashlib
 from typing import Any
 
 from etils import epath
 import pandas as pd
+import requests
+import streamlit as st
 
+from core.constants import OAUTH_CLIENT_ID
+from core.constants import OAUTH_CLIENT_SECRET
 from core.constants import PAST_PROJECTS_PATH
 from core.constants import PROJECT_FOLDER_PATTERN
+from core.constants import REDIRECT_URI
 import mlcroissant as mlc
 
 
@@ -28,6 +35,46 @@ def create_class(mlc_class: type, instance: Any, **kwargs) -> Any:
     return mlc_class(**params, **kwargs)
 
 
+@dataclasses.dataclass
+class User:
+    """The connected user."""
+
+    access_token: str
+    id_token: str
+    username: str
+
+    @classmethod
+    def connect(cls, code: str):
+        credentials = base64.b64encode(
+            f"{OAUTH_CLIENT_ID}:{OAUTH_CLIENT_SECRET}".encode()
+        ).decode()
+        headers = {
+            "Authorization": f"Basic {credentials}",
+        }
+        data = {
+            "client_id": OAUTH_CLIENT_ID,
+            "grant_type": "authorization_code",
+            "code": code,
+            "redirect_uri": REDIRECT_URI,
+        }
+        url = "https://huggingface.co/oauth/token"
+        response = requests.post(url, data=data, headers=headers)
+        if response.status_code == 200:
+            response = response.json()
+            access_token = response.get("access_token")
+            id_token = response.get("id_token")
+            if access_token and id_token:
+                # Warning: this is temporary while being able to retrieve the username.
+                username = hashlib.sha256(access_token.encode()).hexdigest()
+                return User(
+                    access_token=access_token, username=username, id_token=id_token
+                )
+        raise Exception(
+            f"Could not connect to Hugging Face. Please, go to {REDIRECT_URI}."
+            f" ({response=})."
+        )
+
+
 class CurrentStep:
     """Holds all major state variables for the application."""
 
@@ -44,7 +91,12 @@ class CurrentProject:
     @classmethod
     def create_new(cls) -> CurrentProject:
         timestamp = datetime.datetime.now().strftime(PROJECT_FOLDER_PATTERN)
-        return CurrentProject(path=PAST_PROJECTS_PATH / timestamp)
+        user = st.session_state.get(User)
+        if user is None:
+            return None
+        else:
+            path = PAST_PROJECTS_PATH(user)
+            return CurrentProject(path=path / timestamp)
 
 
 class SelectedResource:

deploy_to_hf.sh

@@ -0,0 +1,14 @@
+HF_REPO=/tmp/hf-croissant
+echo "Deleting $HF_REPO..."
+rm -rf ${HF_REPO}
+git clone [email protected]:spaces/marcenacp/croissant-editor ${HF_REPO}
+echo "Copying files from $PWD to $HF_REPO..."
+rsync -aP --exclude="README.md" --exclude="*node_modules*" --exclude="*__pycache__*" . ${HF_REPO}
+cd ${HF_REPO}
+echo "Now push with: 'cd $HF_REPO && git add && git commit && git push'."
+echo "Warning: if it fails, you may need to follow https://huggingface.co/docs/hub/security-git-ssh#generating-a-new-ssh-keypair"
+echo "On Hugging Face Spaces, you might have to set the following environment variables:"
+echo "- REDIRECT_URI"
+echo "- OAUTH_STATE"
+echo "- OAUTH_CLIENT_ID"
+echo "- OAUTH_CLIENT_SECRET"

views/splash.py

@@ -1,5 +1,6 @@
 import streamlit as st
 
+from core.constants import OAUTH_CLIENT_ID
 from core.state import CurrentProject
 from core.state import CurrentStep
 from core.state import Metadata
@@ -10,6 +11,12 @@ from views.side_buttons import jump_to
 
 
 def render_splash():
+    if OAUTH_CLIENT_ID:
+        st.write(
+            "**Disclaimer**: Do not put sensitive information or datasets here. If you"
+            " want to host your own version locally, build the app from [the GitHub"
+            " repository](https://github.com/mlcommons/croissant/tree/main/editor)."
+        )
     col1, col2 = st.columns([1, 1], gap="large")
     with col1:
         with st.expander("**Load an existing Croissant JSON-LD file**", expanded=True):