Introducing Token-Based Authentication. See SECURITY.md for more details.

Deprecate python 3.6 Support
Introduce python 3.10 Support
Small Bug fixes
Closes GH-2

Author: Prabhakar Kumar

.github/workflows/release.yml

@@ -1,4 +1,4 @@
-# Copyright 2020-2021 The MathWorks, Inc
+# Copyright (c) 2020-2022 The MathWorks, Inc
 
 name: Release to PyPI
 
@@ -39,10 +39,10 @@ jobs:
         with:
           ref: ${{github.sha}}
 
-      - name: Set up Python 3.6
+      - name: Set up Python 3.7
         uses: actions/setup-python@v2
         with:
-          python-version: 3.6
+          python-version: 3.7
 
       - name: Install dependencies
         # Installing wheel package will slightly speed-up installing dependencies.
@@ -66,10 +66,10 @@ jobs:
         with:
           ref: ${{github.sha}}
 
-      - name: Set up Python 3.6
+      - name: Set up Python 3.7
         uses: actions/setup-python@v2
         with:
-          python-version: 3.6
+          python-version: 3.7
 
       - name: Install Python build dependencies
         run: |
@@ -97,10 +97,10 @@ jobs:
   #       with:
   #         ref: ${{github.sha}}
 
-  #     - name: Set up Python 3.6
+  #     - name: Set up Python 3.7
   #       uses: actions/setup-python@v2
   #       with:
-  #         python-version: 3.6
+  #         python-version: 3.7
 
   #     - name: Install Python build dependencies
   #       run: |
@@ -120,5 +120,5 @@ jobs:
   #         cd ./anaconda
   #         conda skeleton pypi matlab-proxy
   #         python parse_meta_file.py
-  #         conda build ./matlab-proxy --python 3.6 --output-folder ./build
+  #         conda build ./matlab-proxy --python 3.7 --output-folder ./build
   #         $CONDA/bin/anaconda upload --label main ./build/linux-64/matlab*.tar.gz

.github/workflows/run-tests.yml

@@ -1,4 +1,4 @@
-# Copyright 2020-2021 The MathWorks, Inc
+# Copyright (c) 2020-2022 The MathWorks, Inc
 
 name: Testing MATLAB Proxy
 
@@ -31,9 +31,10 @@ jobs:
 
   python_tests:
     runs-on: ubuntu-latest
+    continue-on-error: True
     strategy:
       matrix:
-        python-version: [3.6, 3.7, 3.8, 3.9]
+        python-version: [3.7, 3.8, 3.9, 3.10.x]
 
     steps:
       - name: Checkout

Advanced-Usage.md

@@ -1,4 +1,5 @@
 # Advanced Usage
+Copyright (c) 2020-2022 The MathWorks, Inc. All rights reserved.
 
 This page lists some of the advanced manuevers that may be of specific interest to help configure the package for use in your environment.
 
@@ -19,11 +20,13 @@ The following table describes all the environment variables that you can set to
 | **MWI_APP_PORT** | integer | `8080` | Specify the port for the HTTP server to listen on. |
 | **MWI_LOG_LEVEL** | string | `"CRITICAL"` | Specify the Python log level to be one of the following `NOTSET`, `DEBUG`, `INFO`, `WARN`, `ERROR`, or `CRITICAL`. For more information on Python log levels, see [Logging Levels](https://docs.python.org/3/library/logging.html#logging-levels) .<br />The default value is `INFO`. |
 | **MWI_LOG_FILE** | string | `"/tmp/logs.txt"` | Specify the full path to the file where you want debug logs from this integration to be written. |
-| **MWI_WEB_LOGGING_ENABLED** | string | `"True"` | Set this value to `"true"` to see additional web server logs. |
+| **MWI_ENABLE_WEB_LOGGING** | string | `"True"` | Set this value to `"True"` to see additional web server logs. |
 | **MWI_CUSTOM_HTTP_HEADERS** | string  |`'{"Content-Security-Policy": "frame-ancestors *.example.com:*"}'`<br /> OR <br />`"/path/to/your/custom/http-headers.json"` |Specify valid HTTP headers as JSON data in a string format. <br /> Alternatively, specify the full path to the JSON file containing valid HTTP headers instead. These headers are injected into the HTTP response sent to the browser. </br> For  more information, see the [Custom HTTP Headers](#custom-http-headers) section.|
 | **TMPDIR** or **TMP** | string | `"/path/for/MATLAB/to/use/as/tmp"` | Set either one of these variables to control the temporary folder used by MATLAB. `TMPDIR` takes precedence over `TMP` and if neither variable is set, `/tmp` is the default value used by MATLAB. |
-| **MWI_SSL_CERT_FILE** | string | `"/path/to/certificate.pem"` | The certfile string must be the path to a single file in PEM format containing the certificate as well as any number of CA certificates needed to establish the certificate’s authenticity. |
-| **MWI_SSL_KEY_FILE** | string | `"/path/to/keyfile.key"` | The keyfile string, if present, must point to a file containing the private key in. Otherwise the private key will be taken from certfile as well. |
+| **MWI_SSL_CERT_FILE** | string | `"/path/to/certificate.pem"` | The certfile string must be the path to a single file in PEM format containing the certificate as well as any number of CA certificates needed to establish the certificate’s authenticity. See [SSL Support](./SECURITY.md#ssl-support) for more information.|
+| **MWI_SSL_KEY_FILE** | string | `"/path/to/keyfile.key"` | The keyfile string, if present, must point to a file containing the private key. Otherwise the private key will be taken from certfile as well. |
+| **MWI_ENABLE_TOKEN_AUTH** | string | `"True"` | When set to `True`, matlab-proxy will require users to provide the security token to access the proxy. <br />The default value is `False` . See [Token-Based Authentication](./SECURITY.md#token-based-authentication) for more information.|
+| **MWI_AUTH_TOKEN** | string (optional) | `"AnyURLSafeToken"` | Optionally, provide a custom `token` for use with `MWI_ENABLE_TOKEN_AUTH`. A token can safely contain any combination of alpha numeric text along with the following permitted characters: `- .  _  ~`.<br />When absent matlab-proxy will generate a random URL safe token. |
 
 
 ## Custom HTTP Headers 

LICENSE.md

@@ -4,7 +4,7 @@ The files in this GitHub repository refer to commercial software products and se
 
 The following license terms apply only to the files in this GitHub repository, including files in this folder and its subfolders, and do not apply to MathWorks Programs. References to “software” and “code” in the following license terms refer to the files in this GitHub repository.
 
-Copyright (c) 2020, The MathWorks, Inc.
+Copyright (c) 2020-2022, The MathWorks, Inc.
 
 All rights reserved.
 

README.md

@@ -1,16 +1,30 @@
 # MATLAB Proxy
-[![GitHub Workflow Status](https://img.shields.io/github/workflow/status/mathworks/matlab-proxy/Testing%20MATLAB%20Proxy?logo=github)](https://github.com/mathworks/matlab-proxy/actions) [![PyPI badge](https://img.shields.io/pypi/v/matlab-proxy.svg?logo=pypi)](https://pypi.python.org/pypi/matlab-proxy) [![codecov](https://codecov.io/gh/mathworks/matlab-proxy/branch/main/graph/badge.svg?token=ZW3SESKCSS)](https://codecov.io/gh/mathworks/matlab-proxy)
 
-Copyright (c) 2021 The MathWorks, Inc. All rights reserved.
+[![GitHub Workflow Status](https://img.shields.io/github/workflow/status/mathworks/matlab-proxy/Testing%20MATLAB%20Proxy?logo=github)](https://github.com/mathworks/matlab-proxy/actions)   [![PyPI badge](https://img.shields.io/pypi/v/matlab-proxy.svg?logo=pypi)](https://pypi.python.org/pypi/matlab-proxy)    [![codecov](https://codecov.io/gh/mathworks/matlab-proxy/branch/main/graph/badge.svg?token=ZW3SESKCSS)](https://codecov.io/gh/mathworks/matlab-proxy)   [![Downloads](https://static.pepy.tech/personalized-badge/matlab-proxy?period=month&units=international_system&left_color=grey&right_color=blue&left_text=PyPI%20downloads/month)](https://pepy.tech/project/matlab-proxy)
+
+Copyright (c) 2020-2022 The MathWorks, Inc. All rights reserved.
 
 ----
+
 `matlab-proxy` is a Python® package which enables you to launch MATLAB® and access it from a web browser.
 
 Installation of this package creates an executable `matlab-proxy-app`, which launches MATLAB and provides a URL to access it. 
 
 The MATLAB Proxy is under active development. For support or to report issues, see the [Feedback](#feedback) section.
 
 ----
+
+**Table of Contents**
+- [Requirements](#requirements)
+- [Installation](#installation)
+  - [PyPI](#pypi)
+  - [Building From Sources](#building-from-sources)
+- [Usage](#usage)
+- [Examples](#examples)
+- [Limitations](#limitations)
+- [Security](#security)
+- [Feedback](#feedback)
+
 ## Requirements
 * Linux® operating system
 
@@ -34,7 +48,7 @@ The MATLAB Proxy is under active development. For support or to report issues, s
 
   $ sudo yum install xorg-x11-server-Xvfb
   ```
-* Python versions: **3.6** | **3.7** | **3.8** | **3.9** 
+* Python versions: **3.7** | **3.8** | **3.9**  | **3.10**
 * [Browser Requirements](https://www.mathworks.com/support/requirements/browser-requirements.html)
 
 ## Installation
@@ -120,6 +134,13 @@ The following options are available in the status panel (some options are only a
 This package supports the same subset of MATLAB features and commands as MATLAB® Online, except there is no support for Simulink® Online.
 [Click here for a full list of Specifications and Limitations for MATLAB Online](https://www.mathworks.com/products/matlab-online/limitations.html). 
 
+## Security
+We take your security concerns seriously, and will attempt to address all concerns.
+`matlab-proxy` uses several other python packages, and depend on them to fix their own vulnerabilities.
+
+All security patches will be released as a new version of the package.
+Patches are never backported to older versions or releases of the package.
+Using the latest version will provide the latest available security updates or patches.
 
 ## Feedback
 

SECURITY.md

@@ -1,6 +1,206 @@
-Reporting Security Vulnerabilities
-==================================
+# Security
+Copyright (c) 2020-2022 The MathWorks, Inc. All rights reserved.
+
+---- 
+**Table of Contents:**
+- [Reporting Security Vulnerabilities](#reporting-security-vulnerabilities)
+- [Security Features](#security-features)
+- [**SSL Support**](#ssl-support)
+- [**Token-Based Authentication**](#token-based-authentication)
+  - [**Use with auto-generated tokens**](#use-with-auto-generated-tokens)
+  - [**Specify your own token**](#specify-your-own-token)
+  - [**Use Token Authentication with SSL enabled**](#use-token-authentication-with-ssl-enabled)
+  - [**Token Recovery**](#token-recovery)
+    - [**Recover tokens from the machine**](#recover-tokens-from-the-machine)
+    - [**Recover token from a previously authenticated browser session**](#recover-token-from-a-previously-authenticated-browser-session)
+- [Security Best Practices](#security-best-practices)
+
+## Reporting Security Vulnerabilities
 If you believe you have discovered a security vulnerability, please report it to
 [email protected] instead of GitHub. Please see
 [MathWorks Vulnerability Disclosure Policy for Security Researchers](https://www.mathworks.com/company/aboutus/policies_statements/vulnerability-disclosure-policy.html)
-for additional information.
+for additional information.
+
+----
+
+## Security Features
+The following features are available in `matlab-proxy` to provide secure access to MATLAB:
+  - [SSL Support](#ssl-support)
+  - [Token-Based Authentication](#token-based-authentication)
+
+----
+
+## **SSL Support**
+Configure `matlab-proxy` to use SSL by providing the desired SSL certificates using the following environment variables at server launch:
+The following environment variables must be set to enable `matlab-proxy` to run on SSL:
+1. *MWI_SSL_CERT_FILE*
+   
+    A string with the full path to a single file in PEM format containing the certificate as well as any number of CA certificates needed to establish the certificate’s authenticity.
+
+2. *MWI_SSL_KEY_FILE*
+   
+   A string with the full path to a file containing the private key. If absent, the private key must be present in the certfile provided with *MWI_SSL_CERT_FILE*.
+
+Example:
+```bash
+# Launch matlab-proxy with SSL enabled
+$ env MWI_SSL_CERT_FILE="/path/to/certificate.pem" MWI_SSL_KEY_FILE="/path/to/keyfile.key" matlab-proxy-app
+
+# The access link is presented in the terminal upon startup like follows:
+==================================================================================================
+                                  MATLAB can be accessed at:                              
+                                    https://127.0.0.1:37109   
+==================================================================================================
+
+# NOTE: The server is running HTTP(S) ! 
+
+```
+
+----
+
+## **Token-Based Authentication**
+
+`matlab-proxy` is a web server and that allows one to launch and access MATLAB on the machine the server is running on.
+By default anyone with access to the server can access MATLAB and thereby the machine on which its running.
+
+When `Token-Based Authentication` is enabled, the server will require a token to authenticate access.
+This token can be provided to the server in 2 ways:
+
+1. Through the [URL parameter](https://www.rfc-editor.org/rfc/rfc3986#section-3.4) : `mwi_auth_token`. Example:
+    ```html
+    https://localhost:8888/?mwi_auth_token=abcdef...
+    ```
+    Once provided, this information is cached in the browser and will be used in subsequent interactions
+
+2. Through the password field on the page that is presented when the user is not already logged in.
+    <p align="left">
+      <img width="600" src="./img/token_authentication_page.png">
+    </p>
+
+**NOTE** : Its highly recommended to use this feature along with SSL enabled as shown [here](#use-token-authentication-with-ssl-enabled).
+
+### **Use with auto-generated tokens**
+
+Enable `Token-Based Authentication` by setting the environment variable `MWI_ENABLE_TOKEN_AUTH` to `True` on server launch.
+
+When enabled, `matlab-proxy` will require the URL to specify the access token using the [query component](https://www.rfc-editor.org/rfc/rfc3986#section-3.4) `mwi_auth_token`.
+
+Example:
+
+```bash
+
+# Launch matlab-proxy with Token-Based Authentication enabled
+$ env MWI_ENABLE_TOKEN_AUTH=True matlab-proxy-app
+
+# The access link is presented in the terminal upon startup like follows:
+==================================================================================================
+                                  MATLAB can be accessed at:                              
+    http://127.0.0.1:37109?mwi_auth_token=SY78vUw5qyf0JTJzGK4mKJlk_exkzL_SMFJyilbGtNI   
+==================================================================================================
+```
+In this example `SY78vUw5qyf0JTJzGK4mKJlk_exkzL_SMFJyilbGtNI` is the token that the server would need for all future communication.
+
+After initial access, this token is cached by the browser, and all subsequent access from the same browser to the server will not require this token.
+You will however need this token to access the server from a new browser session or if you have cleared cookies or have cookies disabled.
+
+### **Specify your own token**
+
+*Optionally*, you can also specify your own secret token using the environment variable `MWI_AUTH_TOKEN`.
+Ensure that your custom token is url safe. 
+A token can safely contain any combination of alpha numeric text along with the following permitted characters: `- .  _  ~`
+
+See [URI Specification RFC3986](https://www.ietf.org/rfc/rfc3986.txt) for more information on URL safe characters.
+
+Example:
+```bash
+
+# Launch matlab-proxy with Token-Based Authentication enabled, and with custom token with a value of "MyCustomSecretToken"
+$ env MWI_ENABLE_TOKEN_AUTH=True MWI_AUTH_TOKEN=MyCustomSecretToken matlab-proxy-app
+
+# The access link is presented in the terminal upon startup like follows:
+==================================================================================================
+                                  MATLAB can be accessed at:                              
+                http://127.0.0.1:37109?mwi_auth_token=MyCustomSecretToken   
+==================================================================================================
+```
+
+### **Use Token Authentication with SSL enabled**
+
+It is recommended to enable both `Token-Based Authentication` and `SSL` to secure your access to MATLAB via matlab-proxy. As an example, the following command enables access to MATLAB using HTTPS and token-based authentication
+
+For example, the following command launches the server to deliver content on `HTTPS` along with Token-Based Authentication enabled:
+```bash
+# Launch matlab-proxy with Token-Based Authentication & SSL enabled with custom token with a value of "asdf"
+$ env MWI_SSL_CERT_FILE="/path/to/certificate.pem" MWI_SSL_KEY_FILE="/path/to/keyfile.key" MWI_ENABLE_TOKEN_AUTH=True MWI_AUTH_TOKEN=asdf matlab-proxy-app
+
+# The access link is presented in the terminal upon startup like follows:
+==================================================================================================
+                                  MATLAB can be accessed at:                              
+                        https://127.0.0.1:37109?mwi_auth_token=asdf   
+==================================================================================================
+
+# NOTE: This server is running HTTP(S) ! 
+
+```
+
+### **Token Recovery**
+
+To recover tokens for a previously launched server, you will need access to either:
+
+1. The machine on which the server was launched, while being logged in as the user that launched the server.
+2. An authenticated browser session launched for the same user.
+
+#### **Recover tokens from the machine**
+
+1. Login to the machine on which the servers are running, as the user that launched matlab-proxy.
+1. Activate the python environment from which the server was launched.
+    * This should be the same environment from which the server was launched.
+    * Run the executable `matlab-proxy-app-list-servers`
+
+Example:
+```bash
+
+# Connect to the machine on which the server was started:
+$ ssh test-user@usermachine 
+
+# Running this command should print all running servers!
+(usermachine) $ matlab-proxy-app-list-servers
+
+-------------------------------------------------------------------------------------------------------------------
+                                             Your running servers are:                                             
+-------------------------------------------------------------------------------------------------------------------
+1.  https://127.0.0.1:46525/asdf?mwi_auth_token=asdfasdf
+2.  http://127.0.0.1:39057/test?mwi_auth_token=_qNJIXEbnXwrj9nxZwbJiWno0YqYSh8BMdQOR6K67y0
+3.  http://127.0.0.1:35647/test?mwi_auth_token=r6djdrcf591PttYlDZcVL78xIa1XgCviM9dQD-BrqDE
+4.  http://127.0.0.1:36537/test?mwi_auth_token=HdQ-9tooAzA0A0CrpUxP1e5crQBErMQC3tPGTkTtrVo
+5.  http://127.0.0.1:35433/test
+-------------------------------------------------------------------------------------------------------------------
+                                                     Thank you.                                                    
+-------------------------------------------------------------------------------------------------------------------
+```
+
+For servers for which `Token-Based Authentication` were enabled, the URLs above will include their tokens.
+You can use them to gain access to your server as described in the [Introduction](#introduction).
+
+#### **Recover token from a previously authenticated browser session**
+
+1. Navigate to a browser window in which you had previously used the server.
+    ```bash
+    # Lets assume this was the server:
+    http://127.0.0.1:36537/test
+    ```
+1. Edit the URL to access the endpoint `mwi_auth_token`
+    ```html
+    http://127.0.0.1:36537/test/get_mwi_auth_token
+    ```
+    This should take you to a screen which prints the `mwi_auth_token` for that server, as shown below:
+    <p align="left">
+      <img width="600" src="./img/recover_mwi_auth_token.png">
+    </p>
+
+## Security Best Practices
+
+* Never share access to your server
+  Never share URLs from `matlab-proxy` with others. Doing so is equivalent to sharing your user account.
+  
+* System administrators who launch `matlab-proxy` for other users, must launch the proxy as the user for whom the server is intended.