Access tokens (#507)

* Access tokens

* Unset access token on logout

* Update src/huggingface_hub/hf_api.py

Co-authored-by: Julien Chaumond <[email protected]>

* Address review comments

* style

Co-authored-by: Julien Chaumond <[email protected]>

Author: LysandreJik

src/huggingface_hub/commands/user.py

@@ -164,11 +164,19 @@ def run(self):
         _|    _|  _|    _|  _|    _|  _|    _|    _|    _|    _|_|  _|    _|      _|        _|    _|  _|        _|
         _|    _|    _|_|      _|_|_|    _|_|_|  _|_|_|  _|      _|    _|_|_|      _|        _|    _|    _|_|_|  _|_|_|_|
 
+        To login, `huggingface_hub` now requires a token generated from https://huggingface.co/settings/token.
+        (Deprecated, will be removed in v0.3.0) To login with username and password instead, interrupt with Ctrl+C.
         """
         )
-        username = input("Username: ")
-        password = getpass()
-        _login(self._api, username, password)
+
+        try:
+            token = getpass("Token: ")
+            _login(self._api, token=token)
+
+        except KeyboardInterrupt:
+            username = input("\rUsername: ")
+            password = getpass()
+            _login(self._api, username, password)
 
 
 class WhoamiCommand(BaseUserCommand):
@@ -196,7 +204,13 @@ def run(self):
             print("Not logged in")
             exit()
         HfFolder.delete_token()
-        self._api.logout(token)
+        HfApi.unset_access_token()
+        try:
+            self._api.logout(token)
+        except HTTPError as e:
+            # Logging out with an access token will return a client error.
+            if not e.response.status_code == 400:
+                raise e
         print("Successfully logged out.")
 
 
@@ -398,6 +412,7 @@ def _login(hf_api, username=None, password=None, token=None):
     elif not hf_api._is_valid_token(token):
         raise ValueError("Invalid token passed.")
 
+    hf_api.set_access_token(token)
     HfFolder.save_token(token)
     print("Login successful")
     print("Your token has been saved to", HfFolder.path_token)

src/huggingface_hub/hf_api.py

@@ -12,8 +12,7 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-
-
+import logging
 import os
 import re
 import subprocess
@@ -41,6 +40,8 @@
     from typing_extensions import Literal
 
 
+USERNAME_PLACEHOLDER = "hf_user"
+
 REMOTE_FILEPATH_REGEX = re.compile(r"^\w[\w\/\-]*(\.\w+)?$")
 # ^^ No trailing slash, no backslash, no spaces, no relative parts ("." or "..")
 #    Only word characters and an optional extension
@@ -333,7 +334,6 @@ def erase_from_credential_store(username=None):
         standard_input += "\n"
 
         process.stdin.write(standard_input.encode("utf-8"))
-        print(standard_input)
         process.stdin.flush()
 
 
@@ -349,6 +349,9 @@ def login(self, username: str, password: str) -> str:
 
         Throws: requests.exceptions.HTTPError if credentials are invalid
         """
+        logging.error(
+            "HfApi.login: This method is deprecated in favor of `set_access_token`."
+        )
         path = "{}/api/login".format(self.endpoint)
         r = requests.post(path, json={"username": username, "password": password})
         r.raise_for_status()
@@ -391,6 +394,7 @@ def logout(self, token: Optional[str] = None) -> None:
             token (``str``, `optional`):
                 Hugging Face token. Will default to the locally saved token if not provided.
         """
+        logging.error("This method is deprecated in favor of `unset_access_token`.")
         if token is None:
             token = HfFolder.get_token()
         if token is None:
@@ -405,6 +409,14 @@ def logout(self, token: Optional[str] = None) -> None:
         r = requests.post(path, headers={"authorization": "Bearer {}".format(token)})
         r.raise_for_status()
 
+    @staticmethod
+    def set_access_token(access_token: str):
+        write_to_credential_store(USERNAME_PLACEHOLDER, access_token)
+
+    @staticmethod
+    def unset_access_token():
+        erase_from_credential_store(USERNAME_PLACEHOLDER)
+
     def list_models(
         self,
         filter: Union[str, Iterable[str], None] = None,

tests/test_hf_api.py

@@ -25,13 +25,15 @@
 import pytest
 
 import requests
+from huggingface_hub.commands.user import _login
 from huggingface_hub.constants import (
     REPO_TYPE_DATASET,
     REPO_TYPE_SPACE,
     SPACES_SDK_TYPES,
 )
 from huggingface_hub.file_download import cached_download, hf_hub_download
 from huggingface_hub.hf_api import (
+    USERNAME_PLACEHOLDER,
     DatasetInfo,
     HfApi,
     HfFolder,
@@ -48,6 +50,7 @@
     ENDPOINT_STAGING_BASIC_AUTH,
     FULL_NAME,
     PASS,
+    TOKEN,
     USER,
 )
 from .testing_utils import (
@@ -111,6 +114,22 @@ def test_login_git_credentials(self):
         erase_from_credential_store(username=USER)
         self.assertTupleEqual(read_from_credential_store(USER), (None, None))
 
+    def test_login_cli(self):
+        _login(self._api, username=USER, password=PASS)
+        self.assertTupleEqual(read_from_credential_store(USER), (USER.lower(), PASS))
+        erase_from_credential_store(username=USER)
+        self.assertTupleEqual(read_from_credential_store(USER), (None, None))
+
+        _login(self._api, token=TOKEN)
+        self.assertTupleEqual(
+            read_from_credential_store(USERNAME_PLACEHOLDER),
+            (USERNAME_PLACEHOLDER, TOKEN),
+        )
+        erase_from_credential_store(username=USERNAME_PLACEHOLDER)
+        self.assertTupleEqual(
+            read_from_credential_store(USERNAME_PLACEHOLDER), (None, None)
+        )
+
 
 class HfApiCommonTestWithLogin(HfApiCommonTest):
     @classmethod
@@ -572,6 +591,7 @@ def tearDown(self) -> None:
         self._api.delete_repo(name=self.REPO_NAME, token=self._token)
 
     def test_model_info(self):
+        shutil.rmtree(os.path.dirname(HfFolder.path_token))
         # Test we cannot access model info without a token
         with self.assertRaisesRegex(requests.exceptions.HTTPError, "404 Client Error"):
             _ = self._api.model_info(repo_id=f"{USER}/{self.REPO_NAME}")

tests/testing_constants.py

@@ -2,6 +2,9 @@
 FULL_NAME = "Dummy User"
 PASS = "__DUMMY_TRANSFORMERS_PASS__"
 
+# Not critical, only usable on the sandboxed CI instance.
+TOKEN = "hf_94wBhPGp6KrrTH3KDchhKpRxZwd6dmHWLL"
+
 ENDPOINT_PRODUCTION = "https://huggingface.co"
 ENDPOINT_STAGING = "https://moon-staging.huggingface.co"
 ENDPOINT_STAGING_BASIC_AUTH = f"https://{USER}:{PASS}@moon-staging.huggingface.co"