refactor(security): delegate org access control to Space metadata

- [config] Add `hf_oauth_authorized_org` to Space metadata (README.md:9-10)
- [docs] Update documentation for `hf_oauth_authorized_org` and security section (README.md:23-32, 48)
- [remove] Remove `requests` import (utils.py:6)
- [remove] Remove OAuth/Org Access Utilities section and functions (utils.py:301-370)
- [remove] Remove `check_org_access` and `format_access_denied_message` imports from handler files (chat_handler.py:18-19, image_handler.py:19-20, tts_handler.py:19-20, video_handler.py:17-18)
- [update] Replace `check_org_access` calls with `if not access_token` checks in handler functions (chat_handler.py:178-179, 218-219, image_handler.py:290-291, 319-320, tts_handler.py:169-170, video_handler.py:142-143)
- [update] Change access denial messages to "Access Required" across handlers (chat_handler.py:181, 221; image_handler.py:292, 321; tts_handler.py:171; video_handler.py:144)
- [refactor] Add `username = None` before access token checks in all handlers (chat_handler.py:177, 217; image_handler.py:289, 318; tts_handler.py:168; video_handler.py:141)

README.md

@@ -7,6 +7,8 @@ sdk: gradio
 app_file: app.py
 pinned: false
 hf_oauth: true
+hf_oauth_authorized_org:
+    - nazdev
 ---
 
 ## 🚀 HF‑Inferoxy AI Hub
@@ -23,7 +25,15 @@ A focused, multi‑modal AI workspace. Chat, create images, transform images, ge
 Add Space secrets:
 - `PROXY_URL`: HF‑Inferoxy server URL (e.g., `https://proxy.example.com`)
 - `PROXY_KEY`: API key for your proxy
-- `ALLOWED_ORGS`: Comma/space‑separated org slugs allowed to use the Space
+  
+Org access control: instead of a custom `ALLOWED_ORGS` secret and runtime checks, configure org restrictions in README metadata using `hf_oauth_authorized_org` per HF Spaces OAuth docs. Example:
+
+```yaml
+hf_oauth: true
+hf_oauth_authorized_org:
+  - your-org-slug
+  - another-org
+```
 
 The app reads these at runtime — no extra setup required.
 
@@ -47,7 +57,7 @@ The app reads these at runtime — no extra setup required.
 Compatible with providers configured in HF‑Inferoxy, including `auto` (default), `hf-inference`, `cerebras`, `cohere`, `groq`, `together`, `fal-ai`, `replicate`, `nebius`, `nscale`, and others.
 
 ### Security
-- HF OAuth validates account/org membership (no inference scope).
+- HF OAuth validates account; org membership is enforced by Space metadata (`hf_oauth_authorized_org`).
 - Inference uses proxy‑managed tokens. Secrets are Space secrets.
 - RBAC, rotation, and quarantine handled by HF‑Inferoxy.
 

chat_handler.py

@@ -15,8 +15,6 @@ from hf_token_utils import get_proxy_token, report_token_status
 from utils import (
     validate_proxy_key, 
     format_error_message,
-    check_org_access,
-    format_access_denied_message,
     render_with_reasoning_toggle
 )
 
@@ -178,12 +176,11 @@ def handle_chat_submit(message, history, system_msg, model_name, provider, max_t
         yield history, ""
         return
 
-    # Enforce org-based access control via HF OAuth token
+    # Require sign-in: if no token present, prompt login
     access_token = getattr(hf_token, "token", None) if hf_token is not None else None
-    is_allowed, access_msg, username, _matched = check_org_access(access_token)
-    if not is_allowed:
-        # Show access denied as assistant message
-        assistant_response = format_access_denied_message(access_msg)
+    username = None
+    if not access_token:
+        assistant_response = format_error_message("Access Required", "Please sign in with Hugging Face (sidebar Login button).")
         current_history = history + [{"role": "assistant", "content": assistant_response}]
         yield current_history, ""
         return
@@ -218,12 +215,11 @@ def handle_chat_retry(history, system_msg, model_name, provider, max_tokens, tem
     Retry the assistant response for the selected message.
     Works with gr.Chatbot.retry() which provides retry_data.index for the message.
     """
-    # Enforce org-based access control via HF OAuth token
+    # Require sign-in: if no token present, prompt login
     access_token = getattr(hf_token, "token", None) if hf_token is not None else None
-    is_allowed, access_msg, username, _matched = check_org_access(access_token)
-    if not is_allowed:
-        # Show access denied as assistant message
-        assistant_response = format_access_denied_message(access_msg)
+    username = None
+    if not access_token:
+        assistant_response = format_error_message("Access Required", "Please sign in with Hugging Face (sidebar Login button).")
         current_history = (history or []) + [{"role": "assistant", "content": assistant_response}]
         yield current_history
         return

image_handler.py

@@ -17,8 +17,6 @@ from utils import (
     validate_proxy_key, 
     format_error_message, 
     format_success_message,
-    check_org_access,
-    format_access_denied_message
 )
 
 # Timeout configuration for image generation
@@ -289,11 +287,11 @@ def handle_image_to_image_generation(input_image_val, prompt_val, model_val, pro
     if input_image_val is None:
         return None, format_error_message("Validation Error", "Please upload an input image")
     
-    # Enforce org-based access control via HF OAuth token
+    # Require sign-in via HF OAuth token
     access_token = getattr(hf_token, "token", None) if hf_token is not None else None
-    is_allowed, access_msg, username, _matched = check_org_access(access_token)
-    if not is_allowed:
-        return None, format_access_denied_message(access_msg)
+    username = None
+    if not access_token:
+        return None, format_error_message("Access Required", "Please sign in with Hugging Face (sidebar Login button).")
     
     # Generate image-to-image
     return generate_image_to_image(
@@ -318,11 +316,11 @@ def handle_image_generation(prompt_val, model_val, provider_val, negative_prompt
     if not is_valid:
         return None, format_error_message("Validation Error", error_msg)
     
-    # Enforce org-based access control via HF OAuth token
+    # Require sign-in via HF OAuth token
     access_token = getattr(hf_token, "token", None) if hf_token is not None else None
-    is_allowed, access_msg, username, _matched = check_org_access(access_token)
-    if not is_allowed:
-        return None, format_access_denied_message(access_msg)
+    username = None
+    if not access_token:
+        return None, format_error_message("Access Required", "Please sign in with Hugging Face (sidebar Login button).")
     
     # Generate image
     return generate_image(

tts_handler.py

@@ -18,8 +18,6 @@ from utils import (
     format_error_message, 
     format_success_message,
     TTS_MODEL_CONFIGS,
-    check_org_access,
-    format_access_denied_message
 )
 
 # Timeout configuration for TTS generation
@@ -169,11 +167,11 @@ def handle_text_to_speech_generation(text_val, model_val, provider_val, voice_va
     if len(text_val) > 5000:
         return None, format_error_message("Validation Error", "Text is too long. Please keep it under 5000 characters.")
     
-    # Enforce org-based access control via HF OAuth token
+    # Require sign-in via HF OAuth token
     access_token = getattr(hf_token, "token", None) if hf_token is not None else None
-    is_allowed, access_msg, username, _matched = check_org_access(access_token)
-    if not is_allowed:
-        return None, format_access_denied_message(access_msg)
+    username = None
+    if not access_token:
+        return None, format_error_message("Access Required", "Please sign in with Hugging Face (sidebar Login button).")
     
     # Generate speech
     return generate_text_to_speech(

utils.py

@@ -5,7 +5,6 @@ Contains configuration constants and helper functions.
 
 import os
 import re
-import requests
 
 
 # Configuration constants
@@ -301,69 +300,6 @@ def get_gradio_theme():
         return None
 
 
-# -----------------------------
-# OAuth / Org Access Utilities
-# -----------------------------
-
-def _parse_allowed_orgs() -> list[str]:
-    """Parse comma/space separated ALLOWED_ORGS env var into a list of lowercase names."""
-    raw = os.getenv("ALLOWED_ORGS", "").strip()
-    if not raw:
-        return []
-    # support comma or whitespace separated
-    parts = [p.strip().lower() for p in raw.replace("\n", ",").replace(" ", ",").split(",") if p.strip()]
-    return list(dict.fromkeys(parts))  # dedupe while preserving order
-
-
-def fetch_hf_identity(access_token: str) -> tuple[bool, dict | None, str]:
-    """
-    Call whoami-v2 to get user identity and orgs.
-    Returns (success, data, error_message).
-    """
-    if not access_token:
-        return False, None, "Missing access token"
-    try:
-        resp = requests.get(
-            "https://huggingface.co/api/whoami-v2",
-            headers={"Authorization": f"Bearer {access_token}", "Content-Type": "application/json"},
-            timeout=15,
-        )
-        if resp.status_code != 200:
-            return False, None, f"HF whoami-v2 HTTP {resp.status_code}"
-        return True, resp.json(), ""
-    except requests.exceptions.RequestException as e:
-        return False, None, f"HF whoami-v2 error: {str(e)}"
-
-
-def check_org_access(access_token: str) -> tuple[bool, str, str | None, list[str]]:
-    """
-    Validate that the logged-in user belongs to any of ALLOWED_ORGS.
-    Returns (is_allowed, message, username, matched_orgs).
-    """
-    allowed_orgs = _parse_allowed_orgs()
-    if not access_token:
-        return False, "🔒 Please log in with Hugging Face to continue.", None, []
-    if not allowed_orgs:
-        return False, "❌ Access denied: ALLOWED_ORGS is not configured in Space secrets.", None, []
-
-    ok, data, err = fetch_hf_identity(access_token)
-    if not ok or not data:
-        return False, f"❌ Failed to verify identity: {err}", None, []
-
-    username = data.get("name") or data.get("fullname") or data.get("id")
-    org_objs = data.get("orgs", []) or []
-    user_org_names = [str(org.get("name", "")).lower() for org in org_objs if org.get("name")]
-    matched = sorted(list(set(user_org_names).intersection(set(allowed_orgs))))
-    if matched:
-        return True, f"✅ Access granted for @{username} in org(s): {', '.join(matched)}", username, matched
-    return False, f"🚫 Access denied for @{username}. Required org(s): {', '.join(allowed_orgs)}", username, []
-
-
-def format_access_denied_message(message: str) -> str:
-    """Return a standardized access denied message for UI display."""
-    return format_error_message("Access Denied", message)
-
-
 # -----------------------------
 # Reasoning (<think>) utilities
 # -----------------------------

video_handler.py

@@ -16,8 +16,6 @@ from utils import (
     validate_proxy_key,
     format_error_message,
     format_success_message,
-    check_org_access,
-    format_access_denied_message,
 )
 
 
@@ -142,9 +140,9 @@ def handle_video_generation(prompt_val, model_val, provider_val, steps_val, guid
         return None, format_error_message("Validation Error", "Please enter a prompt for video generation")
 
     access_token = getattr(hf_token, "token", None) if hf_token is not None else None
-    is_allowed, access_msg, username, _matched = check_org_access(access_token)
-    if not is_allowed:
-        return None, format_access_denied_message(access_msg)
+    username = None
+    if not access_token:
+        return None, format_error_message("Access Required", "Please sign in with Hugging Face (sidebar Login button).")
 
     return generate_video(
         prompt=prompt_val.strip(),