From 10a2260fc0791c3f3bca2ae487befe90727d762a Mon Sep 17 00:00:00 2001 From: Abubakar Abid Date: Wed, 24 Jul 2024 20:00:02 -0700 Subject: [PATCH] Adds a security note to the Oauth section (#8901) * security note * Update guides/03_additional-features/09_sharing-your-app.md Co-authored-by: Ali Abdalla --------- Co-authored-by: Ali Abdalla --- guides/03_additional-features/09_sharing-your-app.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/guides/03_additional-features/09_sharing-your-app.md b/guides/03_additional-features/09_sharing-your-app.md index d8b05151a3a06..351ad0a997a1c 100644 --- a/guides/03_additional-features/09_sharing-your-app.md +++ b/guides/03_additional-features/09_sharing-your-app.md @@ -311,6 +311,8 @@ Users can revoke access to their profile at any time in their [settings](https:/ As seen above, OAuth features are available only when your app runs in a Space. However, you often need to test your app locally before deploying it. To test OAuth features locally, your machine must be logged in to Hugging Face. Please run `huggingface-cli login` or set `HF_TOKEN` as environment variable with one of your access token. You can generate a new token in your settings page (https://huggingface.co/settings/tokens). Then, clicking on the `gr.LoginButton` will login your local Hugging Face profile, allowing you to debug your app with your Hugging Face account before deploying it to a Space. +**Security Note**: It is important to note that adding a `gr.LoginButton` does not restrict users from using your app, in the same way that adding [username-password authentication](/guides/sharing-your-app#password-protected-app) does. This means that users of your app who have not logged in with Hugging Face can still access and run events in your Gradio app -- the difference is that the `gr.OAuthProfile` or `gr.OAuthToken` will be `None` in the corresponding functions. + ### OAuth (with external providers)