Moving Token-Based Authentication to React infrastructure

Author: Eshan Patel

SECURITY.md

@@ -72,9 +72,9 @@ This token can be provided to the server in 2 ways:
     ```
     Once provided, this information is cached in the browser and will be used in subsequent interactions
 
-2. Through the password field on the page that is presented when the user is not already logged in.
-    <p align="left">
-      <img width="600" src="./img/token_authentication_page.png">
+2. Through the auth token input field in the Status Information dialogue box that is presented when the user is not already logged in.
+    <p align="center">
+      <img width="800" src="./img/token_authentication_page.png">
     </p>
 
 **NOTE** : Its highly recommended to use this feature along with SSL enabled as shown [here](#use-token-authentication-with-ssl-enabled).
@@ -182,20 +182,16 @@ $ ssh test-user@usermachine
 For servers for which `Token-Based Authentication` were enabled, the URLs above will include their tokens.
 You can use them to gain access to your server as described in the [Introduction](#introduction).
 
-#### **Recover token from a previously authenticated browser session**
+#### **Retrieve token from a previously authenticated browser session**
 
-1. Navigate to a browser window in which you had previously used the server.
-    ```bash
-    # Lets assume this was the server:
-    http://127.0.0.1:36537/test
-    ```
-1. Edit the URL to access the endpoint `mwi_auth_token`
-    ```html
-    http://127.0.0.1:36537/test/get_mwi_auth_token
-    ```
-    This should take you to a screen which prints the `mwi_auth_token` for that server, as shown below:
-    <p align="left">
-      <img width="600" src="./img/recover_mwi_auth_token.png">
+1. Click on the `View Token` link to see the token
+    <p align="center">
+      <img width="600" src="./img/retrieve_token.png">
+    </p>
+
+2. Click on the `Hide Token` link to hide the token 
+    <p align="center">
+      <img width="600" src="./img/retrieved_token.png">
     </p>
 
 ## Security Best Practices

gui/public/authorization.html

@@ -1,33 +1,6 @@
 <!-- Copyright (c) 2020-2022 The MathWorks, Inc. -->
 <!DOCTYPE html>
 <html lang="en">
-<script>
-  function isServerAuthenticated() {
-    // Check whether server is authorized
-    var url_string = document.URL
-    var base_url = url_string.split("index.html")[0]
-    var url = new URL(url_string);
-    var token = url.searchParams.get("mwi_auth_token");
-    var auth_endpoint = base_url + "authenticate_request"
-    if (token) {
-      auth_endpoint += "?mwi_auth_token=" + token
-    }
-    console.log("auth_endpoint: " + auth_endpoint);
-    fetch(auth_endpoint)
-      .then(function (response) {
-        if (response.ok) {
-          console.log('This page is authorized!')
-          return;
-        } else {
-          console.log('This page is NOT authorized!')
-          console.log("Redirecting to :" + base_url)
-          window.location.replace(base_url)
-        }
-      }).catch(function (error) {
-        console.log(error);
-      });
-  }
-</script>
 
 <head>
   <meta charset="utf-8" />
@@ -39,7 +12,7 @@
   <title>MATLAB</title>
 </head>
 
-<body onload="isServerAuthenticated()">
+<body>
   <noscript>You need to enable JavaScript to run this app.</noscript>
   <div id="root"></div>
 </body>