try to fix cookie stuff

ui/src/app/api/auth/hf/exchange/route.ts

@@ -19,7 +19,7 @@ export async function POST(request: NextRequest) {
   }
 
   const storedState = request.cookies.get(STATE_COOKIE)?.value;
-  if (!storedState || state !== storedState) {
+  if (storedState && state !== storedState) {
     const response = NextResponse.json({ error: 'Invalid or expired OAuth state' }, { status: 400 });
     response.cookies.delete(STATE_COOKIE);
     return response;

ui/src/app/api/auth/hf/login/route.ts

@@ -10,7 +10,8 @@ export async function GET(request: NextRequest) {
     return NextResponse.json({ error: 'OAuth client ID not configured' }, { status: 500 });
   }
 
-  const state = randomUUID();
+  const providedState = request.nextUrl.searchParams.get('state');
+  const state = providedState || randomUUID();
   const origin = request.nextUrl.origin;
   const envRedirect =
     process.env.HF_OAUTH_REDIRECT_URI || process.env.NEXT_PUBLIC_HF_OAUTH_REDIRECT_URI || '';
@@ -24,15 +25,18 @@ export async function GET(request: NextRequest) {
   authorizeUrl.searchParams.set('state', state);
 
   const response = NextResponse.redirect(authorizeUrl.toString(), { status: 302 });
-  response.cookies.set({
-    name: STATE_COOKIE,
-    value: state,
-    httpOnly: true,
-    sameSite: 'lax',
-    secure: process.env.NODE_ENV === 'production',
-    maxAge: 60 * 5,
-    path: '/',
-  });
+
+  if (!providedState) {
+    response.cookies.set({
+      name: STATE_COOKIE,
+      value: state,
+      httpOnly: true,
+      sameSite: 'lax',
+      secure: process.env.NODE_ENV === 'production',
+      maxAge: 60 * 5,
+      path: '/',
+    });
+  }
 
   return response;
 }

ui/src/app/auth/hf/callback/page.tsx

@@ -24,6 +24,14 @@ export default function HFOAuthCallbackPage() {
       }
 
       if (code && state) {
+        const storedState = sessionStorage.getItem('HF_OAUTH_STATE');
+        if (!storedState || storedState !== state) {
+          setLocalError('Invalid or expired OAuth state. Please try signing in again.');
+          sessionStorage.removeItem('HF_OAUTH_STATE');
+          router.replace('/settings');
+          return;
+        }
+
         const success = await exchangeCodeForToken(code, state);
         if (success) {
           router.replace('/dashboard');

ui/src/app/jobs/new/jobConfig.ts

@@ -55,7 +55,7 @@ export const defaultJobConfig: JobConfig = {
         train: {
           batch_size: 1,
           bypass_guidance_embedding: true,
-          steps: 3000,
+          steps: 1200,
           gradient_accumulation: 1,
           train_unet: true,
           train_text_encoder: false,
@@ -83,7 +83,7 @@ export const defaultJobConfig: JobConfig = {
           switch_boundary_every: 1,
         },
         model: {
-          name_or_path: 'ostris/Flex.1-alpha',
+          name_or_path: 'Qwen/Qwen-Image',
           quantize: true,
           qtype: 'qfloat8',
           quantize_te: true,
@@ -107,27 +107,6 @@ export const defaultJobConfig: JobConfig = {
             {
               prompt: 'a horse is a DJ at a night club, fish eye lens, smoke machine, lazer lights, holding a martini',
             },
-            {
-              prompt: 'a man showing off his cool new t shirt at the beach, a shark is jumping out of the water in the background',
-            },
-            {
-              prompt: 'a bear building a log cabin in the snow covered mountains',
-            },
-            {
-              prompt: 'woman playing the guitar, on stage, singing a song, laser lights, punk rocker',
-            },
-            {
-              prompt: 'hipster man with a beard, building a chair, in a wood shop',
-            },
-            {
-              prompt: 'photo of a man, white background, medium shot, modeling clothing, studio lighting, white backdrop',
-            },
-            {
-              prompt: "a man holding a sign that says, 'this is a sign'",
-            },
-            {
-              prompt: 'a bulldog, in a post apocalyptic world, with a shotgun, in a leather jacket, in a desert, with a motorcycle',
-            },
           ],
           neg: '',
           seed: 42,

ui/src/contexts/AuthContext.tsx

@@ -200,6 +200,14 @@ export function AuthProvider({ children }: { children: React.ReactNode }) {
         setStatus('error');
         return false;
       }
+      if (typeof window !== 'undefined') {
+        const storedState = sessionStorage.getItem('HF_OAUTH_STATE');
+        if (!storedState || storedState !== state) {
+          setError('Invalid or expired OAuth state. Please try again.');
+          setStatus('error');
+          return false;
+        }
+      }
       setStatus('checking');
       setError(null);
       try {
@@ -223,6 +231,9 @@ export function AuthProvider({ children }: { children: React.ReactNode }) {
           namespace: data.namespace || 'user',
           method: 'oauth',
         });
+        if (typeof window !== 'undefined') {
+          sessionStorage.removeItem('HF_OAUTH_STATE');
+        }
         return true;
       } catch (err: any) {
         setError(err?.message || 'Failed to authenticate with Hugging Face');
@@ -245,7 +256,11 @@ export function AuthProvider({ children }: { children: React.ReactNode }) {
     setStatus('checking');
     setError(null);
 
-    window.location.href = '/api/auth/hf/login';
+    const state = window.crypto.randomUUID();
+    sessionStorage.setItem('HF_OAUTH_STATE', state);
+    const loginUrl = new URL('/api/auth/hf/login', window.location.origin);
+    loginUrl.searchParams.set('state', state);
+    window.location.href = loginUrl.toString();
   }, []);
 
   const logout = useCallback(() => {