fix: auth flow for publish and write access check

- Add credentials: "include" to publish fetch so cookies are sent
- Rewrite checkWriteAccess: check Space owner match or org membership
instead of unreliable /settings endpoint probe
- Add debug logging for auth and publish failures

Made-with: Cursor

backend/src/auth.ts

@@ -33,6 +33,7 @@ export async function resolveUser(
     const avatarUrl = info.avatarUrl || "";
 
     const canEdit = await checkWriteAccess(accessToken, name);
+    console.log(`[auth] user=${name} canEdit=${canEdit}`);
 
     return { name, fullName, avatarUrl, canEdit };
   } catch (err) {
@@ -43,34 +44,43 @@ export async function resolveUser(
 
 /**
  * Check if user has write access to the Space repo.
+ *
+ * Strategy:
+ * 1. If the user owns the Space namespace, grant access.
+ * 2. If the user belongs to the org that owns the Space, check via
+ *    the /api/spaces/{id} endpoint which returns the user's role
+ *    when authenticated (the "role" field is present for members).
+ * 3. For public Spaces, try the /settings endpoint as a write-access probe.
+ *
  * Falls back to false on any error.
  */
 async function checkWriteAccess(
   accessToken: string,
-  _username: string
+  username: string
 ): Promise<boolean> {
   if (!SPACE_ID) return false;
 
   try {
+    const spaceOwner = SPACE_ID.split("/")[0];
+
+    // Owner of the Space namespace has write access
+    if (spaceOwner === username) return true;
+
+    // Check if user is a member of the org with write/admin role
     const res = await fetch(
-      `https://huggingface.co/api/spaces/${SPACE_ID}`,
+      `https://huggingface.co/api/organizations/${spaceOwner}/members`,
       { headers: { Authorization: `Bearer ${accessToken}` } }
     );
 
-    if (!res.ok) return false;
-
-    const data = (await res.json()) as Record<string, unknown>;
-
-    if (data.private === false) {
-      const authorOrg = SPACE_ID.split("/")[0];
-      const res2 = await fetch(
-        `https://huggingface.co/api/spaces/${SPACE_ID}/settings`,
-        { headers: { Authorization: `Bearer ${accessToken}` } }
-      );
-      return res2.ok;
+    if (res.ok) {
+      const members = (await res.json()) as Array<{ user: string; role: string }>;
+      const member = members.find((m) => m.user === username);
+      if (member && (member.role === "write" || member.role === "admin")) {
+        return true;
+      }
     }
 
-    return true;
+    return false;
   } catch {
     return false;
   }

backend/src/server.ts

@@ -145,7 +145,13 @@ app.post("/api/publish", async (req, res) => {
   if (oauthEnabled) {
     const token = extractToken(req.headers.cookie);
     const user = await resolveUser(token);
-    if (!user || !user.canEdit) {
+    if (!user) {
+      console.warn("[publish] no valid user from token, cookie present:", !!token);
+      res.status(403).json({ error: "Unauthorized: please log in first" });
+      return;
+    }
+    if (!user.canEdit) {
+      console.warn("[publish] user lacks write access:", user.name);
       res.status(403).json({ error: "Unauthorized: write access required" });
       return;
     }

frontend/src/App.tsx

@@ -127,6 +127,7 @@ export default function App() {
       const res = await fetch("/api/publish", {
         method: "POST",
         headers: { "Content-Type": "application/json" },
+        credentials: "include",
         body: JSON.stringify({ docName }),
       });
       if (!res.ok) {