Revert "Try Partitioned cookies for OAuth in iframe (SameSite=None + Partitioned)"

This reverts commit 5fa6d003cad54765dbb457c42842aa5fb11c086d.

backend/routes/auth.py

@@ -130,35 +130,19 @@ async def oauth_callback(
         except httpx.HTTPError:
             pass  # user_info not required for auth flow
 
-    # Set access token as HttpOnly cookie.
-    # In production (HF Spaces), use SameSite=None + Secure + Partitioned
-    # so the cookie works inside the HF iframe (cross-site context).
+    # Set access token as HttpOnly cookie (not in URL — avoids leaks via
+    # Referrer headers, browser history, and server logs)
     is_production = bool(os.environ.get("SPACE_HOST"))
     response = RedirectResponse(url="/", status_code=302)
-
-    if is_production:
-        # Manual Set-Cookie header for Partitioned attribute (Python 3.12
-        # doesn't support it natively in Starlette's set_cookie)
-        max_age = 3600 * 24  # 24 hours
-        cookie_value = (
-            f"hf_access_token={access_token}; "
-            f"HttpOnly; Secure; Path=/; "
-            f"SameSite=None; Partitioned; "
-            f"Max-Age={max_age}"
-        )
-        response.headers.append("Set-Cookie", cookie_value)
-    else:
-        # Dev mode — simple cookie, no Secure/Partitioned needed
-        response.set_cookie(
-            key="hf_access_token",
-            value=access_token,
-            httponly=True,
-            secure=False,
-            samesite="lax",
-            max_age=3600 * 24,
-            path="/",
-        )
-
+    response.set_cookie(
+        key="hf_access_token",
+        value=access_token,
+        httponly=True,
+        secure=is_production,  # Secure flag only in production (HTTPS)
+        samesite="lax",
+        max_age=3600 * 24,  # 24 hours
+        path="/",
+    )
     return response
 
 

frontend/src/components/WelcomeScreen/WelcomeScreen.tsx

@@ -6,10 +6,11 @@ import {
   CircularProgress,
   Alert,
 } from '@mui/material';
+import OpenInNewIcon from '@mui/icons-material/OpenInNew';
 import { useSessionStore } from '@/store/sessionStore';
 import { useAgentStore } from '@/store/agentStore';
 import { apiFetch } from '@/utils/api';
-import { triggerLogin } from '@/hooks/useAuth';
+import { isInIframe, triggerLogin } from '@/hooks/useAuth';
 
 /** HF brand orange */
 const HF_ORANGE = '#FF9D00';
@@ -20,6 +21,7 @@ export default function WelcomeScreen() {
   const [isCreating, setIsCreating] = useState(false);
   const [error, setError] = useState<string | null>(null);
 
+  const inIframe = isInIframe();
   const isAuthenticated = user?.authenticated;
   const isDevUser = user?.username === 'dev';
 
@@ -28,6 +30,10 @@ export default function WelcomeScreen() {
 
     // Not authenticated and not dev → need to login
     if (!isAuthenticated && !isDevUser) {
+      // In iframe: can't redirect (cookies blocked) — user needs to open in new tab
+      // This shouldn't happen because we show a different button in iframe
+      // But just in case:
+      if (inIframe) return;
       triggerLogin();
       return;
     }
@@ -59,7 +65,14 @@ export default function WelcomeScreen() {
     } finally {
       setIsCreating(false);
     }
-  }, [isCreating, createSession, setPlan, setPanelContent, isAuthenticated, isDevUser]);
+  }, [isCreating, createSession, setPlan, setPanelContent, isAuthenticated, isDevUser, inIframe]);
+
+  // Build the direct Space URL for the "open in new tab" link
+  const spaceHost = typeof window !== 'undefined'
+    ? window.location.hostname.includes('.hf.space')
+      ? window.location.origin
+      : `https://smolagents-ml-agent.hf.space`
+    : '';
 
   return (
     <Box
@@ -116,9 +129,38 @@ export default function WelcomeScreen() {
         and explores <strong>datasets</strong> — all through natural conversation.
       </Typography>
 
-      {/* Action button */}
-      {!isAuthenticated && !isDevUser ? (
-        // Not logged in → sign in (works both in iframe and direct access)
+      {/* Action button — depends on context */}
+      {inIframe && !isAuthenticated && !isDevUser ? (
+        // In iframe + not logged in → link to open Space directly
+        <Button
+          variant="contained"
+          size="large"
+          component="a"
+          href={spaceHost}
+          target="_blank"
+          rel="noopener noreferrer"
+          endIcon={<OpenInNewIcon />}
+          sx={{
+            px: 5,
+            py: 1.5,
+            fontSize: '1rem',
+            fontWeight: 700,
+            textTransform: 'none',
+            borderRadius: '12px',
+            bgcolor: HF_ORANGE,
+            color: '#000',
+            boxShadow: '0 4px 24px rgba(255, 157, 0, 0.3)',
+            textDecoration: 'none',
+            '&:hover': {
+              bgcolor: '#FFB340',
+              boxShadow: '0 6px 32px rgba(255, 157, 0, 0.45)',
+            },
+          }}
+        >
+          Open ML Agent
+        </Button>
+      ) : !isAuthenticated && !isDevUser ? (
+        // Direct access + not logged in → sign in button
         <Button
           variant="contained"
           size="large"