Enhances security considerations when token authentication is enabled. Changes include: usage of token hash for communication, new endpoint to fetch token from front end and reduced payloads of other endpoints.

Author: krisctl

gui/package-lock.json

@@ -15,7 +15,8 @@
     "react-use": "^15.3.4",
     "redux": "^4.0.5",
     "redux-thunk": "^2.3.0",
-    "reselect": "^4.0.0"
+    "reselect": "^4.0.0",
+    "crypto-js": "4.1.1"
   },
   "scripts": {
     "start": "react-scripts start",
@@ -51,4 +52,4 @@
     "react-test-renderer": "^16.13.1",
     "redux-mock-store": "^1.5.4"
   }
-}
+}

gui/package.json

@@ -18,10 +18,10 @@ describe.each([
   [actionCreators.setOverlayVisibility, [false], { type: actions.SET_OVERLAY_VISIBILITY, visibility: false }],
   [actionCreators.setTriggerPosition, [12, 12], { type: actions.SET_TRIGGER_POSITION, x: 12, y: 12 }],
   [actionCreators.setTriggerPosition, [52, 112], { type: actions.SET_TRIGGER_POSITION, x: 52, y: 112 }],
-  [actionCreators.setAuthStatus, [true], {type: actions.SET_AUTH_STATUS, authInfo: true}],
-  [actionCreators.setAuthStatus, [false], {type: actions.SET_AUTH_STATUS, authInfo: false}],
-  [actionCreators.setAuthToken, ['string'], {type: actions.SET_AUTH_TOKEN, authInfo: 'string'}],
-  [actionCreators.setAuthToken, [null], {type: actions.SET_AUTH_TOKEN, authInfo: null}]
+  [actionCreators.setAuthStatus, [true], { type: actions.SET_AUTH_STATUS, authInfo: true }],
+  [actionCreators.setAuthStatus, [false], { type: actions.SET_AUTH_STATUS, authInfo: false }],
+  [actionCreators.setAuthToken, ['string'], { type: actions.SET_AUTH_TOKEN, authInfo: 'string' }],
+  [actionCreators.setAuthToken, [null], { type: actions.SET_AUTH_TOKEN, authInfo: null }]
 ])('Test Set actionCreators', (method, input, expectedAction) => {
   test(`check if an action of type  ${expectedAction.type} is returned when method actionCreator.${method.name}() is called`, () => {
     expect(method(...input)).toEqual(expectedAction);
@@ -206,9 +206,9 @@ describe('Test Async actionCreators', () => {
     fetchMock.restore();
   });
 
-  it('dispatches SET_AUTH_STATUS when fetching auth info and not authorised', () => {
+  it('dispatches SET_AUTH_STATUS when fetching auth info and not authorized', () => {
     let token = 'token'
-    fetchMock.once('/authenticate_request', {
+    fetchMock.once('/authenticate', {
       body: {
         authStatus: false,
         error: {
@@ -218,23 +218,23 @@ describe('Test Async actionCreators', () => {
         }
       }
     });
-    const expectedActions = [actions.SET_AUTH_STATUS, actions.SET_AUTH_TOKEN];
+    const expectedActions = [actions.SET_AUTH_STATUS];
 
     return store.dispatch(actionCreators.updateAuthStatus(token)).then(() => {
       const received = store.getActions();
       expect(received.map((a) => a.type)).toEqual(expectedActions);
     });
   });
 
-  it('dispatches SET_AUTH_STATUS, when fetching auth info and authorised', () => {
+  it('dispatches SET_AUTH_STATUS, when fetching auth info and authorized', () => {
     let token = 'token'
-    fetchMock.once('/authenticate_request', {
+    fetchMock.once('/authenticate', {
       body: {
         authStatus: true,
         error: null
       }
     });
-    const expectedActions = [actions.SET_AUTH_STATUS, actions.SET_AUTH_TOKEN];
+    const expectedActions = [actions.SET_AUTH_STATUS];
 
     return store.dispatch(actionCreators.updateAuthStatus(token)).then(() => {
       const received = store.getActions();

gui/src/actionCreators/actionCreators.spec.js

@@ -20,19 +20,20 @@ import {
     RECEIVE_ERROR,
     RECEIVE_ENV_CONFIG,
     SET_AUTH_STATUS,
-    SET_AUTH_TOKEN    
+    SET_AUTH_TOKEN
 } from '../actions';
 import { selectMatlabPending } from '../selectors';
+import sha256 from 'crypto-js/sha256';
 
-export function setAuthStatus(authInfo){
+export function setAuthStatus(authInfo) {
     return {
         type: SET_AUTH_STATUS,
         authInfo
     }
 }
 
-export function setAuthToken(authInfo){
-    return{
+export function setAuthToken(authInfo) {
+    return {
         type: SET_AUTH_TOKEN,
         authInfo
     }
@@ -209,24 +210,37 @@ export function fetchEnvConfig() {
         dispatch(requestEnvConfig());
         const response = await fetchWithTimeout(dispatch, './get_env_config', {}, 10000);
         const data = await response.json();
-        dispatch(receiveEnvConfig(data));       
+        dispatch(receiveEnvConfig(data));
     };
 }
 
-export function updateAuthStatus(token){
+export function updateAuthStatus(token) {
     // make response consistent with rest of reducers (data)
-    return async function(dispatch, getState){
-        
+    return async function (dispatch, getState) {
+
+        const tokenHash = sha256(token)
         const options = {
             method: 'POST',
             headers: {
-                'mwi_auth_token': token
-                },
+                'mwi_auth_token': tokenHash
+            },
         };
-        const response = await fetchWithTimeout(dispatch, './authenticate_request', options, 15000);
+        const response = await fetchWithTimeout(dispatch, './authenticate', options, 15000);
         const data = await response.json()
 
         dispatch(setAuthStatus(data))
+    }
+}
+
+export function getAuthToken() {
+    // make response consistent with rest of reducers (data)
+    return async function (dispatch, getState) {
+
+        const options = {
+            method: 'GET'
+        };
+        const response = await fetchWithTimeout(dispatch, './get_auth_token', options, 10000);
+        const data = await response.json()
         dispatch(setAuthToken(data))
     }
 }
@@ -348,4 +362,4 @@ export function fetchStartMatlab() {
         dispatch(receiveStartMatlab(data));
 
     }
-}
+}

gui/src/actionCreators/index.js

@@ -13,7 +13,7 @@ import {
     selectIsAuthenticated,
     selectAuthToken,
 } from '../../selectors';
-import { updateAuthStatus } from '../../actionCreators';
+import { updateAuthStatus, getAuthToken } from '../../actionCreators';
 import './Information.css';
 
 function Information({
@@ -96,7 +96,11 @@ function Information({
         }
     };
 
-    const viewToken = () => { 
+    const viewToken = () => {
+        // Fetch auth token from server if it is not already available in redux store
+        if (!authToken) {
+            dispatch(getAuthToken());
+        }
         setShowToken(true);
     }
 
@@ -108,7 +112,7 @@ function Information({
         // Update redux state with the token after validation from the backend
         dispatch(updateAuthStatus(token.trim()));
 
-        // Reset local state variable. 
+        // Reset local state variable which was used to hold user's input for token. 
         setToken('');
     }
 
@@ -207,4 +211,4 @@ Information.propTypes = {
     closeHandler: PropTypes.func.isRequired
 };
 
-export default Information;
+export default Information;

gui/src/components/Information/index.js

@@ -26,8 +26,8 @@ import {
 
 // Stores info on whether token authentication enabled on the backend. 
 // This is enforced by the backend.
-export function authEnabled(state = false, action){
-    switch(action.type){
+export function authEnabled(state = false, action) {
+    switch (action.type) {
         case RECEIVE_ENV_CONFIG:
             return action.config.authEnabled;
         default:
@@ -36,10 +36,10 @@ export function authEnabled(state = false, action){
 }
 
 // Stores status of token authentication.
-export function authStatus(state = false, action){
-   switch(action.type){
-        case RECEIVE_ENV_CONFIG:            
-            return action.config.authStatus;            
+export function authStatus(state = false, action) {
+    switch (action.type) {
+        case RECEIVE_ENV_CONFIG:
+            return action.config.authStatus;
         case SET_AUTH_STATUS:
             return action.authInfo.authStatus;
         default:
@@ -48,17 +48,10 @@ export function authStatus(state = false, action){
 }
 
 // Stores auth token
-export function authToken(state = null, action){    
-    switch(action.type){
+export function authToken(state = null, action) {
+    switch (action.type) {
         case SET_AUTH_TOKEN:
-            if(!action.authInfo.error){
-                return action.authInfo.authToken;
-            } else {
-                return state
-            }
-        case RECEIVE_ENV_CONFIG:
-            return action.config.authToken;
-
+            return action.authInfo.authToken;
         default:
             return state;
     }
@@ -169,7 +162,7 @@ export function isFetching(state = false, action) {
         case RECEIVE_STOP_MATLAB:
         case RECEIVE_START_MATLAB:
         case RECEIVE_ERROR:
-        case RECEIVE_ENV_CONFIG: 
+        case RECEIVE_ENV_CONFIG:
             return false;
         default:
             return state;
@@ -235,8 +228,8 @@ export function loadUrl(state = null, action) {
 export function error(state = null, action) {
     switch (action.type) {
         case SET_AUTH_STATUS:
-            if(action?.authInfo?.error !== null){
-                const {message, type } = action.authInfo.error
+            if (action?.authInfo?.error !== null) {
+                const { message, type } = action.authInfo.error
                 return {
                     message: message,
                     type: type,
@@ -265,12 +258,12 @@ export function error(state = null, action) {
     }
 }
 
-export function envConfig(state = null, action) {    
+export function envConfig(state = null, action) {
     switch (action.type) {
         case RECEIVE_ENV_CONFIG:
             // Token authentication info is also sent as a response to /get_env_config endpoint.
             // As its already stored in 'authStatus', 'authEnabled' and 'authToken', ignoring it in envConfig.
-            const {authStatus, authEnabled, authToken, ...envConfig} = action.config
+            const { authStatus, authEnabled, ...envConfig } = action.config
             return envConfig
         default:
             return state;