Merge branch 'main' into main

Author: hanouticelina

.github/conda/meta.yaml

@@ -21,7 +21,6 @@ requirements:
     - typing-extensions
     - packaging
     - pyyaml
-    - hf-xet >=1.1.0,<2.0.0
   run:
     - python
     - pip
@@ -31,7 +30,6 @@ requirements:
     - typing-extensions
     - packaging
     - pyyaml
-    - hf-xet >=1.1.0,<2.0.0
 
 test:
   imports:

.github/workflows/python-tests.yml

@@ -94,14 +94,13 @@ jobs:
               sudo apt install -y graphviz
               uv pip install "huggingface_hub[tensorflow-testing] @ ."
               ;;
+            
+            "Xet only")
+              uv pip install "huggingface_hub[hf_xet] @ ."
+              ;;
 
           esac
 
-          # If not "Xet only", we want to test upload/download with regular LFS workflow
-          # => uninstall hf_xet to make sure we are not using it.
-          if [[ "${{ matrix.test_name }}" != "Xet only" ]]; then
-            uv pip uninstall hf_xet
-          fi
       # Run tests
       - name: Run tests
         working-directory: ./src # For code coverage to work

docs/source/en/_toctree.yml

@@ -86,3 +86,5 @@
       title: Webhooks server
     - local: package_reference/serialization
       title: Serialization
+    - local: package_reference/oauth
+      title: OAuth

docs/source/en/package_reference/oauth.md

@@ -0,0 +1,68 @@
+<!--⚠️ Note that this file is in Markdown but contains specific syntax for our doc-builder (similar to MDX) that may not be
+rendered properly in your Markdown viewer.
+-->
+
+
+# OAuth and FastAPI
+
+OAuth is an open standard for access delegation, commonly used to grant applications limited access to a user's information without exposing their credentials. When combined with FastAPI it allows you to build secure APIs that allow users to log in using external identity providers like Google or GitHub.
+In a usual scenario:
+- FastAPI will define the API endpoints and handles the HTTP requests.
+- OAuth is integrated using libraries like fastapi.security or external tools like Authlib.
+- When a user wants to log in, FastAPI redirects them to the OAuth provider’s login page.
+- After successful login, the provider redirects back with a token.
+- FastAPI verifies this token and uses it to authorize the user or fetch user profile data.
+
+This approach helps avoid handling passwords directly and offloads identity management to trusted providers.
+
+# Hugging Face OAuth Integration in FastAPI
+
+This module provides tools to integrate Hugging Face OAuth into a FastAPI application. It enables user authentication using the Hugging Face platform including mocked behavior for local development and real OAuth flow for Spaces.
+
+
+
+## OAuth Overview
+
+The `attach_huggingface_oauth` function adds login, logout, and callback endpoints to your FastAPI app. When used in a Space, it connects to the Hugging Face OAuth system. When used locally it will inject a mocked user. Click here to learn more about [adding a Sign-In with HF option to your Space](https://huggingface.co/docs/hub/en/spaces-oauth)
+
+
+### How to use it?
+
+```python
+from huggingface_hub import attach_huggingface_oauth, parse_huggingface_oauth
+from fastapi import FastAPI, Request
+
+app = FastAPI()
+attach_huggingface_oauth(app)
+
+@app.get("/")
+def greet_json(request: Request):
+    oauth_info = parse_huggingface_oauth(request)
+    if oauth_info is None:
+        return {"msg": "Not logged in!"}
+    return {"msg": f"Hello, {oauth_info.user_info.preferred_username}!"}
+```
+
+<Tip>
+You might also be interested in [a practical example that demonstrates OAuth in action](https://huggingface.co/spaces/medoidai/GiveBackGPT/blob/main/src/main.py)
+</Tip>
+
+### attach_huggingface_oauth
+
+[[autodoc]] attach_huggingface_oauth
+
+### parse_huggingface_oauth
+
+[[autodoc]] parse_huggingface_oauth
+
+### OAuthOrgInfo
+
+[[autodoc]] OAuthOrgInfo
+
+### OAuthUserInfo
+
+[[autodoc]] OAuthUserInfo
+
+### OAuthInfo
+
+[[autodoc]] OAuthInfo

setup.py

@@ -14,7 +14,6 @@ def get_version() -> str:
 install_requires = [
     "filelock",
     "fsspec>=2023.5.0",
-    "hf-xet>=1.1.0,<2.0.0; platform_machine=='x86_64' or platform_machine=='amd64' or platform_machine=='arm64' or platform_machine=='aarch64'",
     "packaging>=20.9",
     "pyyaml>=5.1",
     "requests",
@@ -32,6 +31,13 @@ def get_version() -> str:
     "aiohttp",  # for AsyncInferenceClient
 ]
 
+extras["oauth"] = [
+    "authlib>=1.3.2",  # minimum version to include https://github.com/lepture/authlib/pull/644
+    "fastapi",
+    "httpx",  # required for authlib but not included in its dependencies
+    "itsdangerous",  # required for starlette SessionMiddleware
+]
+
 extras["torch"] = [
     "torch",
     "safetensors[torch]",
@@ -56,11 +62,12 @@ def get_version() -> str:
     "keras<3.0",
 ]
 
-extras["hf_xet"] = ["hf_xet>=1.1.0,<2.0.0"]
+extras["hf_xet"] = ["hf-xet>=1.1.1,<2.0.0"]
 
 extras["testing"] = (
     extras["cli"]
     + extras["inference"]
+    + extras["oauth"]
     + [
         "jedi",
         "Jinja2",

src/huggingface_hub/__init__.py

@@ -70,6 +70,13 @@
         "logout",
         "notebook_login",
     ],
+    "_oauth": [
+        "OAuthInfo",
+        "OAuthOrgInfo",
+        "OAuthUserInfo",
+        "attach_huggingface_oauth",
+        "parse_huggingface_oauth",
+    ],
     "_snapshot_download": [
         "snapshot_download",
     ],
@@ -641,6 +648,9 @@
     "ModelCardData",
     "ModelHubMixin",
     "ModelInfo",
+    "OAuthInfo",
+    "OAuthOrgInfo",
+    "OAuthUserInfo",
     "ObjectDetectionBoundingBox",
     "ObjectDetectionInput",
     "ObjectDetectionOutputElement",
@@ -762,6 +772,7 @@
     "add_collection_item",
     "add_space_secret",
     "add_space_variable",
+    "attach_huggingface_oauth",
     "auth_check",
     "auth_list",
     "auth_switch",
@@ -862,6 +873,7 @@
     "move_repo",
     "notebook_login",
     "paper_info",
+    "parse_huggingface_oauth",
     "parse_safetensors_file_metadata",
     "pause_inference_endpoint",
     "pause_space",
@@ -1026,6 +1038,13 @@ def __dir__():
         logout,  # noqa: F401
         notebook_login,  # noqa: F401
     )
+    from ._oauth import (
+        OAuthInfo,  # noqa: F401
+        OAuthOrgInfo,  # noqa: F401
+        OAuthUserInfo,  # noqa: F401
+        attach_huggingface_oauth,  # noqa: F401
+        parse_huggingface_oauth,  # noqa: F401
+    )
     from ._snapshot_download import snapshot_download  # noqa: F401
     from ._space_api import (
         SpaceHardware,  # noqa: F401