From f7ce9e404ff007faa1fd467c08abacb28daa28dc Mon Sep 17 00:00:00 2001
From: Zane Claes <zaneclaes@gmail.com>
Date: Tue, 6 Oct 2020 16:21:13 -0600
Subject: [PATCH] Working user auth

---
 .makerverse.default                           |   2 -
 .makerverse.docker                            |   2 -
 package.json                                  |   3 -
 src/app/api/index.js                          |  37 --
 src/app/components/ProtectedRoute/index.jsx   |  18 +-
 src/app/containers/Header/Header.jsx          |  16 +-
 .../containers/Home/CreateWorkspace/index.jsx |   2 +-
 src/app/containers/Login/Callback.jsx         |  62 +++
 src/app/containers/Login/Login.jsx            | 277 +++-------
 .../containers/Settings/General/General.jsx   |   7 -
 src/app/containers/Settings/Settings.jsx      |  18 +-
 src/app/i18n/cs/resource.json                 |  11 +-
 src/app/i18n/de/resource.json                 |  11 +-
 src/app/i18n/en/resource.json                 |  11 +-
 src/app/i18n/es/resource.json                 |  11 +-
 src/app/i18n/fr/resource.json                 |  11 +-
 src/app/i18n/hu/resource.json                 |  11 +-
 src/app/i18n/it/resource.json                 |  11 +-
 src/app/i18n/ja/resource.json                 |  11 +-
 src/app/i18n/nl/resource.json                 |  11 +-
 src/app/i18n/pt-br/resource.json              |  11 +-
 src/app/i18n/ru/resource.json                 |  11 +-
 src/app/i18n/tr/resource.json                 |  11 +-
 src/app/i18n/zh-cn/resource.json              |  11 +-
 src/app/i18n/zh-tw/resource.json              |  11 +-
 src/app/index.jsx                             |  58 +--
 src/app/lib/auth.js                           | 126 ++++-
 src/app/lib/user.js                           |  80 ---
 src/app/lib/workspaces.jsx                    |  17 -
 src/app/store/redux.js                        |   3 -
 src/app/widgets/Connection/index.jsx          |   7 +-
 src/app/widgets/Visualizer/Visualizer.jsx     |   3 +-
 src/package.json                              |   5 +-
 src/server-cli.js                             |   2 -
 src/server/access-control.js                  | 184 +++++--
 src/server/api/api.users.js                   | 480 ++++++++++--------
 src/server/app.js                             |  74 +--
 src/server/config/settings.base.js            |   6 -
 src/server/index.js                           |  21 -
 src/server/services/cncengine/CNCEngine.js    |  36 +-
 40 files changed, 761 insertions(+), 939 deletions(-)
 create mode 100644 src/app/containers/Login/Callback.jsx
 delete mode 100644 src/app/lib/user.js

diff --git a/.makerverse.default b/.makerverse.default
index 7e7c7de17..3e06eeabd 100644
--- a/.makerverse.default
+++ b/.makerverse.default
@@ -1,6 +1,4 @@
 {
   "watchDirectory": "",
-  "accessTokenLifetime": "30d",
-  "allowRemoteAccess": false,
   "workspaces": []
 }
\ No newline at end of file
diff --git a/.makerverse.docker b/.makerverse.docker
index 6c9750ad2..bfc43f3e1 100644
--- a/.makerverse.docker
+++ b/.makerverse.docker
@@ -1,7 +1,5 @@
 {
   "watchDirectory": "/home/node/gcode",
-  "accessTokenLifetime": "30d",
-  "allowRemoteAccess": true,
   "workspaces": [],
   "mountPoints": [
     {
diff --git a/package.json b/package.json
index 7f87fc55c..1ab66dfd3 100644
--- a/package.json
+++ b/package.json
@@ -182,7 +182,6 @@
     "expand-tilde": "~2.0.2",
     "expr-eval": "~1.2.2",
     "express": "~4.16.4",
-    "express-jwt": "~5.3.1",
     "express-session": "~1.16.1",
     "final-form": "~4.12.0",
     "font-awesome": "~4.7.0",
@@ -202,7 +201,6 @@
     "is-electron": "~2.2.0",
     "jimp": "~0.6.1",
     "js-polyfills": "~0.1.42",
-    "jsonwebtoken": "~8.5.1",
     "jsuri": "~1.3.1",
     "keycode": "~2.2.0",
     "lodash": "~4.17.11",
@@ -259,7 +257,6 @@
     "shortid": "~2.2.14",
     "socket.io": "~2.2.0",
     "socket.io-client": "~2.2.0",
-    "socketio-jwt": "~4.5.0",
     "sortablejs": "~1.9.0",
     "spawn-default-shell": "~2.0.0",
     "styled-components": "~3.4.9",
diff --git a/src/app/api/index.js b/src/app/api/index.js
index fd998b3a0..6d65e3b23 100644
--- a/src/app/api/index.js
+++ b/src/app/api/index.js
@@ -27,44 +27,10 @@ const noCache = (request) => {
     }
 };
 
-export const apirequest = superagentUse(superagent);
-apirequest.use(noCache);
-
 export const authrequest = superagentUse(superagent);
 authrequest.use(bearer);
 authrequest.use(noCache);
 
-//
-// Authentication
-//
-const signin = (options) => new Promise((resolve, reject) => {
-    // const { token, username, password } = { ...options };
-
-    // const requestedUrl = new URLSearchParams(window.location.search).get('ReturnUrl');
-    // args.returnUrl = requestedUrl || (await ).url;
-    // const args = { username, password };
-
-    // fetch(`${owsApi}/auth/login`, {
-    //     method: 'POST',
-    //     credentials: 'include',
-    //     headers: {
-    //         'Content-Type': 'application/json',
-    //     },
-    //     body: JSON.stringify(args),
-    // });
-
-    // authrequest
-    //     .post('/api/signin')
-    //     .send({ token, name, password })
-    //     .end((err, res) => {
-    //         if (err) {
-    //             reject(res);
-    //         } else {
-    //             resolve(res);
-    //         }
-    //     });
-});
-
 //
 // Latest Version
 //
@@ -710,9 +676,6 @@ export default {
     fetchGCode,
     downloadGCode,
 
-    // Authentication
-    signin,
-
     // Controllers
     controllers,
 
diff --git a/src/app/components/ProtectedRoute/index.jsx b/src/app/components/ProtectedRoute/index.jsx
index 96857fc37..55ae9a96b 100644
--- a/src/app/components/ProtectedRoute/index.jsx
+++ b/src/app/components/ProtectedRoute/index.jsx
@@ -1,5 +1,6 @@
 import React from 'react';
 // import PropTypes from 'prop-types';
+import auth from 'app/lib/auth';
 import { connect } from 'react-redux';
 import { Route, Redirect, withRouter } from 'react-router-dom';
 import log from 'app/lib/log';
@@ -8,8 +9,7 @@ const ProtectedRoute = ({ component: Component, ...rest }) => (
     <Route
         {...rest}
         render={props => {
-            if (props.user) {
-                log.debug('User is authenticated.', props.user);
+            if (auth.isAuthenticated()) {
                 return Component ? <Component {...rest} /> : null;
             }
 
@@ -39,16 +39,4 @@ ProtectedRoute.propTypes = {
     ...withRouter.propTypes,
 };
 
-function mapStateToProps(state) {
-    return {
-        user: state.oidc.user
-    };
-}
-
-function mapDispatchToProps(dispatch) {
-    return {
-        dispatch
-    };
-}
-
-export default connect(mapStateToProps, mapDispatchToProps)(ProtectedRoute);
+export default connect()(ProtectedRoute);
diff --git a/src/app/containers/Header/Header.jsx b/src/app/containers/Header/Header.jsx
index 539de145d..ee09aadf3 100644
--- a/src/app/containers/Header/Header.jsx
+++ b/src/app/containers/Header/Header.jsx
@@ -12,8 +12,7 @@ import Space from 'app/components/Space';
 import combokeys from 'app/lib/combokeys';
 import i18n from 'app/lib/i18n';
 import log from 'app/lib/log';
-import * as user from 'app/lib/user';
-import store from 'app/store';
+import auth from 'app/lib/auth';
 import Workspaces from 'app/lib/workspaces';
 import settings from 'app/config/settings';
 import styles from './index.styl';
@@ -244,9 +243,7 @@ class Header extends PureComponent {
     render() {
         const { history, location } = this.props;
         const { pushPermission, commands, runningTasks, updateAvailable, latestVersion, lastUpdate } = this.state;
-        const sessionEnabled = store.get('session.enabled');
-        const signedInName = store.get('session.name');
-        const hideUserDropdown = !sessionEnabled;
+        const signedInName = auth.user ? auth.user.username : '?';
         const showCommands = commands.length > 0;
         const workspace = Workspaces.findByPath(location.pathname);
         const updateMsg = i18n._('A new version of {{name}} is available', { name: settings.productName }) + '. ' +
@@ -301,9 +298,6 @@ class Header extends PureComponent {
                 <Navbar.Collapse>
                     <Nav pullRight>
                         <NavDropdown
-                            className={classNames(
-                                { 'hidden': hideUserDropdown }
-                            )}
                             id="nav-dropdown-user"
                             title={(
                                 <div title={i18n._('My Account')}>
@@ -317,7 +311,7 @@ class Header extends PureComponent {
                             </MenuItem>
                             <MenuItem divider />
                             <MenuItem
-                                href="#/settings/user-accounts"
+                                href="https://openwork.shop/account/manage"
                             >
                                 <i className="fa fa-fw fa-user" />
                                 <Space width="8" />
@@ -325,11 +319,11 @@ class Header extends PureComponent {
                             </MenuItem>
                             <MenuItem
                                 onClick={() => {
-                                    if (user.isAuthenticated()) {
+                                    if (auth.isAuthenticated()) {
                                         log.debug('Destroy and cleanup the WebSocket connection');
                                         Workspaces.disconnect();
 
-                                        user.signout();
+                                        auth.signout();
 
                                         // Remember current location
                                         history.replace(location.pathname);
diff --git a/src/app/containers/Home/CreateWorkspace/index.jsx b/src/app/containers/Home/CreateWorkspace/index.jsx
index 0b759f883..b6597f6d5 100644
--- a/src/app/containers/Home/CreateWorkspace/index.jsx
+++ b/src/app/containers/Home/CreateWorkspace/index.jsx
@@ -238,7 +238,7 @@ class CreateWorkspace extends PureComponent {
 
     componentDidMount() {
         this._mounting = true;
-        this.controller.connect(auth.host, auth.options, () => {
+        this.controller.connect(auth.host, auth.socket, () => {
             this.addControllerEvents();
             this.refreshPorts();
             this._mounting = false;
diff --git a/src/app/containers/Login/Callback.jsx b/src/app/containers/Login/Callback.jsx
new file mode 100644
index 000000000..b612e0dd7
--- /dev/null
+++ b/src/app/containers/Login/Callback.jsx
@@ -0,0 +1,62 @@
+import React, { PureComponent } from 'react';
+import { CallbackComponent } from 'redux-oidc';
+import { Redirect } from 'react-router-dom';
+import auth from 'app/lib/auth';
+import { connect } from 'react-redux';
+import styles from './index.styl';
+
+class Callback extends PureComponent {
+    state = { error: null, success: false, ready: false };
+
+    handleSuccess(oidc) {
+        this.setState({ success: true });
+
+        auth.signin(oidc).then((authorized) => {
+            if (authorized) {
+                this.setState({ ready: true });
+            } else {
+                this.setState({ error: { message: 'Failed to authenticate.' } });
+            }
+        });
+    }
+
+    handleError(err) {
+        this.setState({ error: err });
+    }
+
+    renderInner() {
+        if (this.state.error) {
+            const msg = this.state.error.message ?? this.state.error;
+            return <Redirect to={`/login?error=${msg}`} />;
+        }
+
+        if (this.state.success) {
+            if (!this.state.ready) {
+                return <div>Loading Profile...</div>;
+            }
+            return <Redirect to="/" />;
+        }
+
+        return (
+            <CallbackComponent
+                userManager={auth.manager}
+                successCallback={(s) => this.handleSuccess(s)}
+                errorCallback={(e) => this.handleError(e)}
+            >
+                <div>Authenticating...</div>
+            </CallbackComponent>
+        );
+    }
+
+    render() {
+        return (
+            <div className={styles.container}>
+                <div className={styles.login} style={{ padding: '20px' }}>
+                    {this.renderInner()}
+                </div>
+            </div>
+        );
+    }
+}
+
+export default connect()(Callback);
diff --git a/src/app/containers/Login/Login.jsx b/src/app/containers/Login/Login.jsx
index b0eaf91d2..e61f0ea87 100644
--- a/src/app/containers/Login/Login.jsx
+++ b/src/app/containers/Login/Login.jsx
@@ -5,13 +5,13 @@ import { withRouter, Redirect } from 'react-router-dom';
 import Anchor from 'app/components/Anchor';
 import Space from 'app/components/Space';
 // import settings from 'app/config/settings';
-import Workspaces from 'app/lib/workspaces';
+// import Workspaces from 'app/lib/workspaces';
 // import promisify from 'app/lib/promisify';
-import auth from 'app/lib/auth';
+// import auth from 'app/lib/auth';
 import i18n from 'app/lib/i18n';
 import log from 'app/lib/log';
-import { signup, signin, resend } from 'app/lib/user';
-import store from 'app/store';
+import auth from 'app/lib/auth';
+// import store from 'app/store';
 import styles from './index.styl';
 
 class Login extends PureComponent {
@@ -51,24 +51,6 @@ class Login extends PureComponent {
     }
 
     actions = {
-        handleResendVerification: (event) => {
-            event.preventDefault();
-            this.setState({ resending: true });
-            resend({ username: this.state.username })
-                .then(({ success, errors }) => {
-                    if (!success) {
-                        this.processErrors(errors);
-                        return;
-                    }
-                    this.setState({
-                        resent: true,
-                        resending: false,
-                    });
-                });
-        },
-        handleForgotPassword: (event) => {
-            event.preventDefault();
-        },
         handleSignIn: (event) => {
             event.preventDefault();
 
@@ -79,48 +61,50 @@ class Login extends PureComponent {
                 errors: { ...this.state.errors },
             });
 
-            const args = {
-                username: this.fields.username.value,
-                password: this.fields.password.value,
-            };
+            auth.manager.signinRedirect();
 
-            const registering = this.state.registering;
-            if (registering) {
-                args.email = this.fields.email.value;
-            }
+            // const args = {
+            //     username: this.fields.username.value,
+            //     password: this.fields.password.value,
+            // };
+
+            // const registering = this.state.registering;
+            // if (registering) {
+            //     args.email = this.fields.email.value;
+            // }
 
-            const func = registering ? signup : signin;
-            func(args)
-                .then(({ success, errors }) => {
-                    if (!success) {
-                        this.processErrors(errors);
-                        return;
-                    }
-                    if (registering) {
-                        this.setState({ registered: true });
-                        return;
-                    }
+            // const func = registering ? signup : signin;
+            // func(args)
+            //     .then(({ success, errors }) => {
+            //         if (!success) {
+            //             this.processErrors(errors);
+            //             return;
+            //         }
+            //         if (registering) {
+            //             this.setState({ registered: true });
+            //             return;
+            //         }
 
-                    log.debug('Create and establish a WebSocket connection');
+            //         log.debug('Create and establish a WebSocket connection');
 
-                    const token = store.get('session.token');
-                    auth.host = '';
-                    auth.options = {
-                        query: 'token=' + token
-                    };
-                })
-                .then(Workspaces.connect)
-                .then(() => {
-                    this.setState({
-                        alertMessage: '',
-                        authenticating: false,
-                        redirectToReferrer: true,
-                        errors: this.emptyErrors,
-                    });
-                })
-                .catch((e) => {
-                    console.log('signup/signin error', e);
-                });
+            //         const token = store.get('session.token');
+            //         auth.host = '';
+            //         auth.options = {
+            //             query: 'token=' + token
+            //         };
+            //     })
+            //     .then(Workspaces.connect)
+            //     .then(() => {
+            //         this.setState({
+            //             alertMessage: '',
+            //             authenticating: false,
+            //             redirectToReferrer: true,
+            //             errors: this.emptyErrors,
+            //         });
+            //     })
+            //     .catch((e) => {
+            //         console.log('signup/signin error', e);
+            //     });
         }
     };
 
@@ -190,38 +174,49 @@ class Login extends PureComponent {
         );
     }
 
-    renderResend() {
-        if (this.state.resent) {
-            return <i>The email has been re-sent.</i>;
-        }
-        const enabled = !this.state.resending;
+    renderSocialLogin(name) {
+        const authenticating = this.state.authenticating;
+        const icon = 'fa-' + name.toLowerCase();
         return (
             <button
-                type="submit"
-                className="btn btn-block btn-primary"
+                type="button"
+                className="btn btn-block btn-secondary"
+                style={{ marginLeft: '0' }}
                 onClick={this.actions.handleResendVerification}
-                disabled={!enabled}
+                disabled={authenticating}
             >
                 <i
                     className={cx(
                         'fa',
                         'fa-fw',
-                        { 'fa-envelope-o': enabled },
-                        { 'fa-spin': !enabled },
+                        icon
                     )}
                 />
                 <Space width="8" />
-                {i18n._('Resend Verification Email')}
+                {name}
             </button>
         );
     }
 
+    renderSocialLogins() {
+        return (
+            <div>
+                <i>Or, use one of the following...</i>
+                <br />
+                {this.renderSocialLogin('GitHub')}
+                {this.renderSocialLogin('Google')}
+            </div>
+        );
+    }
+
     render() {
+        const error = decodeURIComponent(window.location.hash.split('error=')[1] || '');
+
         const { from } = this.props.location.state || { from: { pathname: '/' } };
         const state = { ...this.state };
         // const actions = { ...this.actions };
-        const { alertMessage, authenticating, registering, registered } = state;
-        const act = registering ? i18n._('Create Account') : i18n._('Sign in');
+        const { alertMessage, authenticating, registering } = state;
+        const act = i18n._('Login');
         const docLink = 'http://www.makerverse.com/features/security/';
         let enabled = !authenticating && this.fields.username && this.fields.username.value.length > 0 &&
             this.fields.password && this.fields.password.value.length > 0;
@@ -245,38 +240,6 @@ class Login extends PureComponent {
             );
         }
 
-        if (registered) {
-            return (
-                <div className={styles.container}>
-                    <div className={styles.login}>
-                        <div className={styles.title}>
-                            Confirm your Email Address
-                        </div>
-                        <div className={styles.content}>
-                            {'Please check your inbox for an email from:'}
-                            <br />
-                            <b>hello@openwork.shop</b>
-                            <br />
-                            <div style={{ paddingTop: '10px', paddingBottom: '10px' }}>
-                                {this.renderResend()}
-                            </div>
-                        </div>
-                        <div className={styles.footer}>
-                            <a
-                                href={docLink}
-                                onClick={(e) => {
-                                    e.preventDefault();
-                                    this.setState({ registered: false });
-                                }}
-                            >
-                                {i18n._('Return to Login')}
-                            </a>
-                        </div>
-                    </div>
-                </div>
-            );
-        }
-
         return (
             <div className={styles.container}>
                 <div className={styles.login}>
@@ -285,104 +248,19 @@ class Login extends PureComponent {
                         {act}
                     </div>
                     <div className={styles.content}>
-                        <div style={{ textAlign: 'center', textDecoration: 'italic', marginBottom: '10px' }}>
-                            {registering && (
-                                <a
-                                    href="#sign-in"
-                                    onClick={(e) => {
-                                        this.setState({ registering: false });
-                                        e.preventDefault();
-                                    }}
-                                >
-                                    {i18n._('Already have an account?')}
-                                </a>
-                            )}
-                            {!registering && (
-                                <a
-                                    href="#sign-up"
-                                    onClick={(e) => {
-                                        this.setState({ registering: true });
-                                        e.preventDefault();
-                                    }}
-                                >
-                                    {i18n._('Don\'t have an account?')}
-                                </a>
-                            )}
-                        </div>
-                        <form className={styles.form}>
-                            {registering && (
-                                <div className="form-group">
-                                    <input
-                                        ref={node => {
-                                            this.fields.email = node;
-                                        }}
-                                        type="email"
-                                        onChange={() => this.onChangeEmail()}
-                                        className="form-control"
-                                        placeholder={i18n._('Email')}
-                                        autoComplete="email"
-                                    />
-                                    {this.renderError('email')}
-                                </div>
-                            )}
-                            <div className="form-group">
-                                <input
-                                    ref={node => {
-                                        this.fields.username = node;
-                                    }}
-                                    type="text"
-                                    onChange={(e) => this.setState({
-                                        hasChangedUsername: true,
-                                        username: e.target.value,
-                                    })}
-                                    className="form-control"
-                                    placeholder={i18n._('Username')}
-                                    autoComplete="username"
-                                />
-                                {this.renderError('username')}
+                        {error.length > 0 && (
+                            <div className={styles.error}>
+                                {error}
                             </div>
-                            <div className="form-group">
-                                <input
-                                    ref={node => {
-                                        this.fields.password = node;
-                                    }}
-                                    type="password"
-                                    onChange={(e) => this.onChangePasswords(e.target.value)}
-                                    className="form-control"
-                                    placeholder={i18n._('Password')}
-                                    autoComplete="password"
-                                />
-                                {this.renderError('password')}
-                            </div>
-                            {registering && (
-                                <div className="form-group">
-                                    <input
-                                        ref={node => {
-                                            this.fields.passwordMatch = node;
-                                        }}
-                                        type="password"
-                                        className="form-control"
-                                        onChange={() => this.onChangePasswords()}
-                                        placeholder={i18n._('Password (again)')}
-                                        autoComplete="password"
-                                    />
-                                    {this.renderError('passwordMatch')}
-                                </div>
-                            )}
-                            {!registering && (
-                                <div style={{ textAlign: 'right', width: '100%' }}>
-                                    <a href="#forgot-password" onClick={this.actions.handleForgotPassword}>
-                                        {i18n._('Forgot your password?')}
-                                    </a>
-                                </div>
-                            )}
+                        )}
+                        <form className={styles.form}>
                             <div className="form-group">
                                 {this.renderError('unknown')}
                                 <button
                                     type="submit"
                                     className="btn btn-block btn-primary"
                                     onClick={this.actions.handleSignIn}
-                                    disabled={!enabled}
+                                    disabled={authenticating}
                                 >
                                     <i
                                         className={cx(
@@ -390,12 +268,11 @@ class Login extends PureComponent {
                                             'fa-fw',
                                             { 'fa-spin': authenticating },
                                             { 'fa-circle-o-notch': authenticating },
-                                            { 'fa-sign-in': !authenticating && !registering },
-                                            { 'fa-user-plus': !authenticating && registering },
+                                            { 'fa-envelope-o': !authenticating },
                                         )}
                                     />
                                     <Space width="8" />
-                                    {act}
+                                    {act} with Email
                                 </button>
                                 {alertMessage && (
                                     <div className={styles.error}>
@@ -407,7 +284,7 @@ class Login extends PureComponent {
                     </div>
                     <div className={styles.footer}>
                         <Anchor href={docLink}>
-                            {i18n._('Why is it necessary to create an account?')}
+                            {i18n._('Why is it necessary to log in?')}
                         </Anchor>
                     </div>
                 </div>
diff --git a/src/app/containers/Settings/General/General.jsx b/src/app/containers/Settings/General/General.jsx
index 9c1c7f5d7..c77f5d488 100644
--- a/src/app/containers/Settings/General/General.jsx
+++ b/src/app/containers/Settings/General/General.jsx
@@ -52,7 +52,6 @@ class General extends PureComponent {
     render() {
         const { state, stateChanged } = this.props;
         const lang = get(state, 'lang', 'en');
-        const raEnabled = state.allowRemoteAccess ? i18n._('enabled') : i18n._('disabled');
 
         if (state.api.loading) {
             return (
@@ -97,12 +96,6 @@ class General extends PureComponent {
                         </div>
                     </div>
                 </div>
-                <div className={styles.formFields}>
-                    <h4>{i18n._('Web Server')}</h4>
-                    <span style={{ fontStyle: 'italic' }} >
-                        Remote access is <strong>{raEnabled}</strong> in your .makerverse config file.
-                    </span>
-                </div>
                 <div className={styles.formFields}>
                     <h4>{i18n._('Language')}</h4>
                     <div className={styles.formGroup}>
diff --git a/src/app/containers/Settings/Settings.jsx b/src/app/containers/Settings/Settings.jsx
index 448ee30e9..9938ba988 100644
--- a/src/app/containers/Settings/Settings.jsx
+++ b/src/app/containers/Settings/Settings.jsx
@@ -23,7 +23,7 @@ import log from 'app/lib/log';
 import Workspaces from 'app/lib/workspaces';
 import General from './General';
 import WorkspaceSettings from './WorkspaceSettings';
-import UserAccounts from './UserAccounts';
+// import UserAccounts from './UserAccounts';
 import Controller from './Controller';
 import Commands from './Commands';
 import Events from './Events';
@@ -58,12 +58,12 @@ class Settings extends PureComponent {
             title: 'Controller',
             component: (props) => <Controller {...props} />
         },
-        {
-            id: 'userAccounts',
-            path: 'user-accounts',
-            title: 'User Accounts',
-            component: (props) => <UserAccounts {...props} />
-        },
+        // {
+        //     id: 'userAccounts',
+        //     path: 'user-accounts',
+        //     title: 'User Accounts',
+        //     component: (props) => <UserAccounts {...props} />
+        // },
         {
             id: 'commands',
             path: 'commands',
@@ -113,7 +113,7 @@ class Settings extends PureComponent {
 
                 api.getState()
                     .then((res) => {
-                        const { checkForUpdates, prereleases, allowRemoteAccess } = { ...res.body };
+                        const { checkForUpdates, prereleases } = { ...res.body };
 
                         const nextState = {
                             ...this.state.general,
@@ -124,7 +124,6 @@ class Settings extends PureComponent {
                             },
                             // followed by data
                             checkForUpdates: !!checkForUpdates,
-                            allowRemoteAccess: !!allowRemoteAccess,
                             prereleases: !!prereleases,
                             lang: i18next.language
                         };
@@ -1029,7 +1028,6 @@ class Settings extends PureComponent {
                 },
                 checkForUpdates: true,
                 prereleases: false,
-                allowRemoteAccess: !!(settings.allowRemoteAccess),
                 lang: i18next.language
             },
             // Workspaces
diff --git a/src/app/i18n/cs/resource.json b/src/app/i18n/cs/resource.json
index eb7fc4cac..bcb7511b3 100644
--- a/src/app/i18n/cs/resource.json
+++ b/src/app/i18n/cs/resource.json
@@ -19,13 +19,9 @@
     "Sleep": "Režim spánku",
     "Unlock": "Odemknout",
     "Reset": "Resetovat",
-    "Authentication failed.": "",
     "Error": "",
-    "Sign in to {{name}}": "",
     "Username": "Uživatelské jméno",
     "Password": "Heslo",
-    "Sign In": "Přihlásit se",
-    "Forgot your password?": "",
     "Learn more": "Další informace",
     "Downloads": "Stažené soubory",
     "Checking for updates...": "Vyhledávají se aktualizace...",
@@ -517,10 +513,7 @@
     "Accept": "",
     "Move to Center": "",
     "Firmware": "",
-    "enabled": "",
-    "disabled": "",
     "Software Updates": "",
-    "Web Server": "",
     "Save": "",
     "Machine": "",
     "Frame": "",
@@ -542,5 +535,7 @@
     "Program: Start": "",
     "Program: Pause": "",
     "Program: Stop": "",
-    "Program: Resume": ""
+    "Program: Resume": "",
+    "Login": "",
+    "Why is it necessary to log in?": ""
 }
diff --git a/src/app/i18n/de/resource.json b/src/app/i18n/de/resource.json
index 75a3a1573..d36337d89 100644
--- a/src/app/i18n/de/resource.json
+++ b/src/app/i18n/de/resource.json
@@ -19,13 +19,9 @@
     "Sleep": "Ruhezustand",
     "Unlock": "Freigabe",
     "Reset": "Reset",
-    "Authentication failed.": "Authentifizierung fehlgeschlagen",
     "Error": "Fehler",
-    "Sign in to {{name}}": "Einloggen in {{name}}",
     "Username": "Benutzername",
     "Password": "Kennwort",
-    "Sign In": "Anmelden",
-    "Forgot your password?": "Passwort vergessen?",
     "Learn more": "Weitere Informationen",
     "Downloads": "Downloads",
     "Checking for updates...": "Es wird nach Updates gesucht...",
@@ -517,10 +513,7 @@
     "Accept": "",
     "Move to Center": "",
     "Firmware": "",
-    "enabled": "",
-    "disabled": "",
     "Software Updates": "",
-    "Web Server": "",
     "Save": "",
     "Machine": "",
     "Frame": "",
@@ -542,5 +535,7 @@
     "Program: Start": "",
     "Program: Pause": "",
     "Program: Stop": "",
-    "Program: Resume": ""
+    "Program: Resume": "",
+    "Login": "",
+    "Why is it necessary to log in?": ""
 }
diff --git a/src/app/i18n/en/resource.json b/src/app/i18n/en/resource.json
index 7ee0f1e3f..30921575b 100644
--- a/src/app/i18n/en/resource.json
+++ b/src/app/i18n/en/resource.json
@@ -19,13 +19,9 @@
     "Sleep": "Sleep",
     "Unlock": "Unlock",
     "Reset": "Reset",
-    "Authentication failed.": "Authentication failed.",
     "Error": "Error",
-    "Sign in to {{name}}": "Sign in to {{name}}",
     "Username": "Username",
     "Password": "Password",
-    "Sign In": "Sign In",
-    "Forgot your password?": "Forgot your password?",
     "Learn more": "Learn more",
     "Downloads": "Downloads",
     "Checking for updates...": "Checking for updates...",
@@ -517,10 +513,7 @@
     "Accept": "Accept",
     "Move to Center": "Move to Center",
     "Firmware": "Firmware",
-    "enabled": "enabled",
-    "disabled": "disabled",
     "Software Updates": "Software Updates",
-    "Web Server": "Web Server",
     "Save": "Save",
     "Machine": "Machine",
     "Frame": "Frame",
@@ -542,5 +535,7 @@
     "Program: Start": "Program: Start",
     "Program: Pause": "Program: Pause",
     "Program: Stop": "Program: Stop",
-    "Program: Resume": "Program: Resume"
+    "Program: Resume": "Program: Resume",
+    "Login": "Login",
+    "Why is it necessary to log in?": "Why is it necessary to log in?"
 }
diff --git a/src/app/i18n/es/resource.json b/src/app/i18n/es/resource.json
index 180a37f55..021e31c24 100644
--- a/src/app/i18n/es/resource.json
+++ b/src/app/i18n/es/resource.json
@@ -19,13 +19,9 @@
     "Sleep": "Suspensión",
     "Unlock": "Desbloquear",
     "Reset": "Resetear",
-    "Authentication failed.": "Fallo de autenticación",
     "Error": "Error",
-    "Sign in to {{name}}": "Conectarse a {{name}}",
     "Username": "Nombre de usuario",
     "Password": "Contraseña",
-    "Sign In": "Iniciar sesión",
-    "Forgot your password?": "Olvido contraseña?",
     "Learn more": "Más información",
     "Downloads": "Descargas",
     "Checking for updates...": "Buscando actualizaciones...",
@@ -517,10 +513,7 @@
     "Accept": "",
     "Move to Center": "",
     "Firmware": "",
-    "enabled": "",
-    "disabled": "",
     "Software Updates": "",
-    "Web Server": "",
     "Save": "",
     "Machine": "",
     "Frame": "",
@@ -542,5 +535,7 @@
     "Program: Start": "",
     "Program: Pause": "",
     "Program: Stop": "",
-    "Program: Resume": ""
+    "Program: Resume": "",
+    "Login": "",
+    "Why is it necessary to log in?": ""
 }
diff --git a/src/app/i18n/fr/resource.json b/src/app/i18n/fr/resource.json
index 69ccdf40d..36ca8c86e 100644
--- a/src/app/i18n/fr/resource.json
+++ b/src/app/i18n/fr/resource.json
@@ -19,13 +19,9 @@
     "Sleep": "Veille",
     "Unlock": "Déverouiller",
     "Reset": "Réinitialiser",
-    "Authentication failed.": "",
     "Error": "",
-    "Sign in to {{name}}": "",
     "Username": "Nom d'utilisateur",
     "Password": "Mot de passe",
-    "Sign In": "Ouverture de session",
-    "Forgot your password?": "",
     "Learn more": "En savoir plus",
     "Downloads": "Téléchargements",
     "Checking for updates...": "Recherche en cours des mises à jour...",
@@ -517,10 +513,7 @@
     "Accept": "",
     "Move to Center": "",
     "Firmware": "",
-    "enabled": "",
-    "disabled": "",
     "Software Updates": "",
-    "Web Server": "",
     "Save": "",
     "Machine": "",
     "Frame": "",
@@ -542,5 +535,7 @@
     "Program: Start": "",
     "Program: Pause": "",
     "Program: Stop": "",
-    "Program: Resume": ""
+    "Program: Resume": "",
+    "Login": "",
+    "Why is it necessary to log in?": ""
 }
diff --git a/src/app/i18n/hu/resource.json b/src/app/i18n/hu/resource.json
index 250d3eb49..c2e42940e 100644
--- a/src/app/i18n/hu/resource.json
+++ b/src/app/i18n/hu/resource.json
@@ -19,13 +19,9 @@
     "Sleep": "Alvás",
     "Unlock": "Feloldás",
     "Reset": "Reset",
-    "Authentication failed.": "A hitelesítés sikertelen.",
     "Error": "",
-    "Sign in to {{name}}": "Bejelentkezés a {{name}}-be",
     "Username": "Felhasználó",
     "Password": "Jelszó",
-    "Sign In": "Bejelentkezés",
-    "Forgot your password?": "Elfelejtetted a jelszavad?",
     "Learn more": "További információ",
     "Downloads": "Letöltés",
     "Checking for updates...": "Frissítések keresése ...",
@@ -517,10 +513,7 @@
     "Accept": "",
     "Move to Center": "",
     "Firmware": "",
-    "enabled": "",
-    "disabled": "",
     "Software Updates": "",
-    "Web Server": "",
     "Save": "",
     "Machine": "",
     "Frame": "",
@@ -542,5 +535,7 @@
     "Program: Start": "",
     "Program: Pause": "",
     "Program: Stop": "",
-    "Program: Resume": ""
+    "Program: Resume": "",
+    "Login": "",
+    "Why is it necessary to log in?": ""
 }
diff --git a/src/app/i18n/it/resource.json b/src/app/i18n/it/resource.json
index 87b1d79c6..3caeb4e4e 100644
--- a/src/app/i18n/it/resource.json
+++ b/src/app/i18n/it/resource.json
@@ -19,13 +19,9 @@
     "Sleep": "Sospensione",
     "Unlock": "Sblocca",
     "Reset": "Resetta",
-    "Authentication failed.": "",
     "Error": "",
-    "Sign in to {{name}}": "",
     "Username": "Nome utente",
     "Password": "Password",
-    "Sign In": "Accedi",
-    "Forgot your password?": "",
     "Learn more": "Ulteriori informazioni",
     "Downloads": "Download",
     "Checking for updates...": "Ricerca di aggiornamenti in corso...",
@@ -517,10 +513,7 @@
     "Accept": "",
     "Move to Center": "",
     "Firmware": "",
-    "enabled": "",
-    "disabled": "",
     "Software Updates": "",
-    "Web Server": "",
     "Save": "",
     "Machine": "",
     "Frame": "",
@@ -542,5 +535,7 @@
     "Program: Start": "",
     "Program: Pause": "",
     "Program: Stop": "",
-    "Program: Resume": ""
+    "Program: Resume": "",
+    "Login": "",
+    "Why is it necessary to log in?": ""
 }
diff --git a/src/app/i18n/ja/resource.json b/src/app/i18n/ja/resource.json
index cb3711942..a348e175a 100644
--- a/src/app/i18n/ja/resource.json
+++ b/src/app/i18n/ja/resource.json
@@ -19,13 +19,9 @@
     "Sleep": "スリープ",
     "Unlock": "アンロック",
     "Reset": "リセット",
-    "Authentication failed.": "認証失敗.",
     "Error": "エラー",
-    "Sign in to {{name}}": "{{name}}にサインイン",
     "Username": "ユーザ名",
     "Password": "パスワード",
-    "Sign In": "サインイン",
-    "Forgot your password?": "パスワードを忘れましたか？",
     "Learn more": "詳細情報",
     "Downloads": "ダウンロード",
     "Checking for updates...": "更新プログラムを確認しています...",
@@ -517,10 +513,7 @@
     "Accept": "",
     "Move to Center": "",
     "Firmware": "",
-    "enabled": "",
-    "disabled": "",
     "Software Updates": "",
-    "Web Server": "",
     "Save": "",
     "Machine": "",
     "Frame": "",
@@ -542,5 +535,7 @@
     "Program: Start": "",
     "Program: Pause": "",
     "Program: Stop": "",
-    "Program: Resume": ""
+    "Program: Resume": "",
+    "Login": "",
+    "Why is it necessary to log in?": ""
 }
diff --git a/src/app/i18n/nl/resource.json b/src/app/i18n/nl/resource.json
index acd463ff6..a89ad15f1 100644
--- a/src/app/i18n/nl/resource.json
+++ b/src/app/i18n/nl/resource.json
@@ -19,13 +19,9 @@
     "Sleep": "Slapen",
     "Unlock": "Ontsluiten",
     "Reset": "Reset",
-    "Authentication failed.": "Authenticatie mislukt",
     "Error": "Fout",
-    "Sign in to {{name}}": "Log in naar {{name}}",
     "Username": "Gebruikersnaam",
     "Password": "Paswoord",
-    "Sign In": "Log in",
-    "Forgot your password?": "Uw wachtwoord vergeten?",
     "Learn more": "Meer weten?",
     "Downloads": "Downloads",
     "Checking for updates...": "Zoeken of er nieuwe updates zijn...",
@@ -517,10 +513,7 @@
     "Accept": "",
     "Move to Center": "",
     "Firmware": "",
-    "enabled": "",
-    "disabled": "",
     "Software Updates": "",
-    "Web Server": "",
     "Save": "",
     "Machine": "",
     "Frame": "",
@@ -542,5 +535,7 @@
     "Program: Start": "",
     "Program: Pause": "",
     "Program: Stop": "",
-    "Program: Resume": ""
+    "Program: Resume": "",
+    "Login": "",
+    "Why is it necessary to log in?": ""
 }
diff --git a/src/app/i18n/pt-br/resource.json b/src/app/i18n/pt-br/resource.json
index 412d25d80..d2b451676 100644
--- a/src/app/i18n/pt-br/resource.json
+++ b/src/app/i18n/pt-br/resource.json
@@ -19,13 +19,9 @@
     "Sleep": "Suspender",
     "Unlock": "Desbloquear",
     "Reset": "Reiniciar",
-    "Authentication failed.": "Autenticação falhou",
     "Error": "Erro",
-    "Sign in to {{name}}": "Entrar como {{name}}",
     "Username": "Nome de Usuário",
     "Password": "Senha",
-    "Sign In": "Entrar",
-    "Forgot your password?": "Esqueceu sua senha?",
     "Learn more": "Saiba mais",
     "Downloads": "Downloads",
     "Checking for updates...": "Verificando se há atualizações...",
@@ -517,10 +513,7 @@
     "Accept": "",
     "Move to Center": "",
     "Firmware": "",
-    "enabled": "",
-    "disabled": "",
     "Software Updates": "",
-    "Web Server": "",
     "Save": "",
     "Machine": "",
     "Frame": "",
@@ -542,5 +535,7 @@
     "Program: Start": "",
     "Program: Pause": "",
     "Program: Stop": "",
-    "Program: Resume": ""
+    "Program: Resume": "",
+    "Login": "",
+    "Why is it necessary to log in?": ""
 }
diff --git a/src/app/i18n/ru/resource.json b/src/app/i18n/ru/resource.json
index 4fa2ca09e..ecd80bc34 100644
--- a/src/app/i18n/ru/resource.json
+++ b/src/app/i18n/ru/resource.json
@@ -19,13 +19,9 @@
     "Sleep": "Сон",
     "Unlock": "Разблокировать",
     "Reset": "Сброс",
-    "Authentication failed.": "",
     "Error": "",
-    "Sign in to {{name}}": "",
     "Username": "Имя пользователя",
     "Password": "Пароль",
-    "Sign In": "Вход",
-    "Forgot your password?": "",
     "Learn more": "Подробнее",
     "Downloads": "Загрузки",
     "Checking for updates...": "Проверка наличия обновлений...",
@@ -517,10 +513,7 @@
     "Accept": "",
     "Move to Center": "",
     "Firmware": "",
-    "enabled": "",
-    "disabled": "",
     "Software Updates": "",
-    "Web Server": "",
     "Save": "",
     "Machine": "",
     "Frame": "",
@@ -542,5 +535,7 @@
     "Program: Start": "",
     "Program: Pause": "",
     "Program: Stop": "",
-    "Program: Resume": ""
+    "Program: Resume": "",
+    "Login": "",
+    "Why is it necessary to log in?": ""
 }
diff --git a/src/app/i18n/tr/resource.json b/src/app/i18n/tr/resource.json
index 0cdf17598..1a3e212a3 100644
--- a/src/app/i18n/tr/resource.json
+++ b/src/app/i18n/tr/resource.json
@@ -19,13 +19,9 @@
     "Sleep": "Uyku",
     "Unlock": "Kilidi Aç",
     "Reset": "Sıfırla",
-    "Authentication failed.": "Kimlik Doğrulama Başarısız",
     "Error": "Hata",
-    "Sign in to {{name}}": "Giriş yap {{name}}",
     "Username": "Kullanıcı adı",
     "Password": "şifre",
-    "Sign In": "Giriş",
-    "Forgot your password?": "Parolanızı mı unuttunuz?",
     "Learn more": "Daha fazla",
     "Downloads": "İndir",
     "Checking for updates...": "Güncellemeler Kontrol Ediliyor...",
@@ -517,10 +513,7 @@
     "Accept": "",
     "Move to Center": "",
     "Firmware": "",
-    "enabled": "",
-    "disabled": "",
     "Software Updates": "",
-    "Web Server": "",
     "Save": "",
     "Machine": "",
     "Frame": "",
@@ -542,5 +535,7 @@
     "Program: Start": "",
     "Program: Pause": "",
     "Program: Stop": "",
-    "Program: Resume": ""
+    "Program: Resume": "",
+    "Login": "",
+    "Why is it necessary to log in?": ""
 }
diff --git a/src/app/i18n/zh-cn/resource.json b/src/app/i18n/zh-cn/resource.json
index b9759f3e5..8a0f9b111 100644
--- a/src/app/i18n/zh-cn/resource.json
+++ b/src/app/i18n/zh-cn/resource.json
@@ -19,13 +19,9 @@
     "Sleep": "睡眠",
     "Unlock": "解除锁定",
     "Reset": "重置",
-    "Authentication failed.": "授权失败。",
     "Error": "错误",
-    "Sign in to {{name}}": "已登录用户{{name}}",
     "Username": "用户名",
     "Password": "密码",
-    "Sign In": "登录",
-    "Forgot your password?": "忘记密码？",
     "Learn more": "了解详情",
     "Downloads": "下载",
     "Checking for updates...": "正在检查更新...",
@@ -517,10 +513,7 @@
     "Accept": "",
     "Move to Center": "",
     "Firmware": "",
-    "enabled": "",
-    "disabled": "",
     "Software Updates": "",
-    "Web Server": "",
     "Save": "",
     "Machine": "",
     "Frame": "",
@@ -542,5 +535,7 @@
     "Program: Start": "",
     "Program: Pause": "",
     "Program: Stop": "",
-    "Program: Resume": ""
+    "Program: Resume": "",
+    "Login": "",
+    "Why is it necessary to log in?": ""
 }
diff --git a/src/app/i18n/zh-tw/resource.json b/src/app/i18n/zh-tw/resource.json
index 51c025df3..a4e7da655 100644
--- a/src/app/i18n/zh-tw/resource.json
+++ b/src/app/i18n/zh-tw/resource.json
@@ -19,13 +19,9 @@
     "Sleep": "睡眠",
     "Unlock": "解除鎖定",
     "Reset": "重置",
-    "Authentication failed.": "認證失敗",
     "Error": "",
-    "Sign in to {{name}}": "登入 {{name}}",
     "Username": "使用者名稱",
     "Password": "密碼",
-    "Sign In": "登入",
-    "Forgot your password?": "忘記密碼？",
     "Learn more": "深入瞭解",
     "Downloads": "下載",
     "Checking for updates...": "正在檢查更新項目...",
@@ -517,10 +513,7 @@
     "Accept": "",
     "Move to Center": "",
     "Firmware": "",
-    "enabled": "",
-    "disabled": "",
     "Software Updates": "",
-    "Web Server": "",
     "Save": "",
     "Machine": "",
     "Frame": "",
@@ -542,5 +535,7 @@
     "Program: Start": "",
     "Program: Pause": "",
     "Program: Stop": "",
-    "Program: Resume": ""
+    "Program: Resume": "",
+    "Login": "",
+    "Why is it necessary to log in?": ""
 }
diff --git a/src/app/index.jsx b/src/app/index.jsx
index aa6709758..cefa6bed0 100644
--- a/src/app/index.jsx
+++ b/src/app/index.jsx
@@ -9,6 +9,7 @@ import { Provider } from 'react-redux';
 import { createBrowserHistory } from 'history';
 import {
     HashRouter as Router,
+    Switch,
     Route
 } from 'react-router-dom';
 import i18next from 'i18next';
@@ -21,36 +22,34 @@ import settings from './config/settings';
 import portal from './lib/portal';
 import i18n from './lib/i18n';
 import log from './lib/log';
-import auth from './lib/auth';
-import api from './api';
 import series from './lib/promise-series';
 import promisify from './lib/promisify';
-import { authManager, signin, isAuthenticated } from './lib/user';
+import auth from './lib/auth';
 import store from './store';
 import configureReduxStore from './store/redux';
 import App from './containers/App';
 import Login from './containers/Login';
+import Callback from './containers/Login/Callback';
 import Anchor from './components/Anchor';
 import { Button } from './components/Buttons';
 import ModalTemplate from './components/ModalTemplate';
 import Modal from './components/Modal';
 import ProtectedRoute from './components/ProtectedRoute';
 import Space from './components/Space';
-import Workspaces from './lib/workspaces';
 import './styles/vendor.styl';
 import './styles/app.styl';
 
-const renderPage = () => {
-    const baseUrl = window.location.host;
-    const history = createBrowserHistory({ basename: baseUrl });
-    const reduxStore = configureReduxStore(history);
+const baseUrl = window.location.host;
+const history = createBrowserHistory({ basename: baseUrl });
+const reduxStore = configureReduxStore(history);
 
+const renderPage = () => {
     const container = document.createElement('div');
     document.body.appendChild(container);
 
     ReactDOM.render(
         <Provider store={reduxStore}>
-            <OidcProvider store={store} userManager={authManager}>
+            <OidcProvider store={reduxStore} userManager={auth.manager}>
                 <GridSystemProvider
                     breakpoints={[576, 768, 992, 1200]}
                     containerWidths={[540, 720, 960, 1140]}
@@ -59,10 +58,11 @@ const renderPage = () => {
                     layout="floats"
                 >
                     <Router>
-                        <div>
+                        <Switch>
                             <Route path="/login" component={Login} />
+                            <Route path="/callback" component={Callback} />
                             <ProtectedRoute path="/" component={App} />
-                        </div>
+                        </Switch>
                     </Router>
                 </GridSystemProvider>
             </OidcProvider>
@@ -104,41 +104,7 @@ series([
             next();
         });
     })(),
-    () => promisify(next => {
-        const token = store.get('session.token');
-        signin({ token: token })
-            .then(({ authenticated, token }) => {
-                if (authenticated) {
-                    log.debug('Authenticated');
-
-                    auth.host = '';
-                    auth.options = {
-                        query: 'token=' + token
-                    };
-                }
-                next();
-            });
-    })(),
-    () => promisify(next => {
-        if (!isAuthenticated()) {
-            next();
-            return;
-        }
-        api.workspaces
-            .fetch()
-            .then(({ body }) => {
-                if (body && body.records) {
-                    body.records.forEach((record) => {
-                        log.debug(`loading workspace: ${record.name}`);
-                        Workspaces.load(record);
-                    });
-                } else {
-                    log.error('workspaces load error');
-                }
-                next();
-            })
-            .then(Workspaces.connect);
-    })()
+    () => auth.resume(reduxStore),
 ]).then(async () => {
     log.info(`${settings.productName}`);
 
diff --git a/src/app/lib/auth.js b/src/app/lib/auth.js
index e9347676d..e82a7d3c4 100644
--- a/src/app/lib/auth.js
+++ b/src/app/lib/auth.js
@@ -1,6 +1,130 @@
+import api, { authrequest } from 'app/api';
+import config from 'app/store';
+import { createUserManager, loadUser } from 'redux-oidc';
+import Workspaces from 'app/lib/workspaces';
+import log from 'app/lib/log';
+import analytics from 'app/lib/analytics';
+import series from 'app/lib/promise-series';
+import promisify from 'app/lib/promisify';
+
+// Makerverse OAuth login mechanism.
+// The oidc-client handles token hand-off and validation.
+
+const devServer = false;
+const authority = devServer ? 'http://localhost:5000' : 'https://openwork.shop';
+const self = window.location.origin;
+const oauthConfig = {
+    client_id: 'Makerverse',
+    redirect_uri: `${self}/#/callback`,
+    post_logout_redirect_uri: `${self}/#/login`,
+    response_type: 'code',
+    scope: 'OpenWorkShopAPI openid profile',
+    authority: `${authority}/`,
+    silent_redirect_uri: `${self}/silent_renew.html`,
+    automaticSilentRenew: true,
+    filterProtocolClaims: true,
+    loadUserInfo: true,
+    monitorSession: false,
+};
+const authManager = createUserManager(oauthConfig);
+
+let _authenticated = false;
+
+const resume = (reduxStore) => new Promise((resolve, reject) => {
+    loadUser(reduxStore, auth.manager).then(signin).then(resolve);
+});
+
+const signin = (oidc) => new Promise((resolve, reject) => {
+    const token = oidc ? oidc.access_token : null;
+    if (!token) {
+        resolve(false);
+        return;
+    }
+    authrequest
+        .post('/api/signin')
+        .send({ token })
+        .then((res) => {
+            const body = res ? res.body : {};
+
+            if (!body.enabled || !body.user) {
+                log.warn('login failed', body.enabled, body.user);
+                resolve(false);
+            } else {
+                config.set('session.token', token);
+                auth.user = body.user;
+                log.debug('login successful for', auth.user.username);
+                auth.host = '';
+                auth.socket = {
+                    transportOptions: {
+                        polling: {
+                            extraHeaders: {
+                                'Authorization': `Bearer ${token}`,
+                            },
+                        },
+                    },
+                };
+                analytics.set({
+                    userId: auth.user.username,
+                });
+                _authenticated = true;
+            }
+        })
+        .then(() => {
+            log.debug('login loading workspaces...');
+            return api.workspaces.fetch();
+        })
+        .then(({ body }) => {
+            if (body && body.records) {
+                body.records.forEach((record) => {
+                    log.debug(`loading workspace: ${record.name}`);
+                    Workspaces.load(record);
+                });
+            } else {
+                log.error('workspaces load error');
+            }
+            log.debug('login connecting to', Workspaces.all.length, 'workspaces...');
+            const funcs = Object.keys(Workspaces.all).map((id) => {
+                return () => promisify(next => {
+                    const workspace = Workspaces.all[id];
+                    workspace.controller.connect(auth.host, auth.socket, () => {
+                        // @see "src/web/containers/Login/Login.jsx"
+                        next();
+                    });
+                })();
+            });
+            return series(funcs);
+        })
+        .then(() => {
+            log.debug('login complete');
+            resolve(true);
+        })
+        .catch((e) => {
+            log.error('login error', e);
+            resolve(false);
+        });
+});
+
+const signout = () => new Promise((resolve, reject) => {
+    config.unset('session.token');
+    auth.socket = {};
+    authManager.signoutRedirect();
+    _authenticated = false;
+    resolve();
+});
+
+const isAuthenticated = () => {
+    return _authenticated;
+};
+
 const auth = {
     host: '',
-    options: { }
+    socket: { },
+    isAuthenticated: isAuthenticated,
+    manager: authManager,
+    signout: signout,
+    signin: signin,
+    resume: resume,
+    user: null,
 };
 
 export default auth;
diff --git a/src/app/lib/user.js b/src/app/lib/user.js
deleted file mode 100644
index 2ba5b4fdc..000000000
--- a/src/app/lib/user.js
+++ /dev/null
@@ -1,80 +0,0 @@
-import { apirequest } from 'app/api';
-import config from 'app/store';
-import { createUserManager } from 'redux-oidc';
-import log from 'app/lib/log';
-
-// Makerverse OAuth login mechanism.
-// The oidc-client handles token hand-off and validation.
-
-const devServer = true;
-const authority = devServer ? 'http://localhost:5000' : 'https://openwork.shop';
-const self = 'http://localhost:8000';
-const oauthConfig = {
-    client_id: 'Makerverse',
-    redirect_uri: `${self}/#/account/logged-in`,
-    post_logout_redirect_uri: `${self}/#/account/logged-out`,
-    response_type: 'code',
-    scope: 'OpenWorkShopAPI openid profile',
-    authority: `${authority}/`,
-    silent_redirect_uri: `${self}/silent_renew.html`,
-    automaticSilentRenew: true,
-    filterProtocolClaims: true,
-    loadUserInfo: true,
-    monitorSession: false,
-};
-export const authManager = createUserManager(oauthConfig);
-
-export const userProfile = {
-    user: null,
-};
-
-let _authenticated = false;
-
-export const getReturnUrl = () => new Promise((resolve, reject) => {
-    authManager
-        .createSigninRequest()
-        .then((p) => {
-            resolve(p.url);
-        });
-    // resolve(`${self}/logged-in`);
-});
-
-export const call = (path, args) => new Promise((resolve, reject) => {
-    getReturnUrl()
-        .then((url) => {
-            args.returnUrl = url;
-            log.debug(path, 'request', url);
-            return apirequest.post(`${authority}/api/auth/${path}`).send(args); // withCredentials().
-        })
-        .then((res) => {
-            log.debug(path, 'response: ', res.body);
-            if (!res.body.record) {
-                throw new Error('Response was missing data');
-            } else if (res.body.meta && res.body.meta.redirectUrl) {
-                window.location.replace(res.body.meta.redirectUrl);
-            } else {
-                resolve({ success: true });
-            }
-        })
-        .catch((err) => {
-            let body = err.response ? err.response.body : {};
-            log.error(path, 'error:', err.message, body);
-            resolve({ success: false, errors: body.errors || [err.message] });
-        });
-});
-
-export const signin = (args) => call('login', args);
-
-export const signup = (args) => call('register', args);
-
-export const resend = (args) => call('send/email', args);
-
-export const signout = () => new Promise((resolve, reject) => {
-    config.unset('session.token');
-    _authenticated = false;
-    resolve();
-});
-
-export const isAuthenticated = () => {
-    return _authenticated;
-};
diff --git a/src/app/lib/workspaces.jsx b/src/app/lib/workspaces.jsx
index a7f85e27c..35d91b770 100644
--- a/src/app/lib/workspaces.jsx
+++ b/src/app/lib/workspaces.jsx
@@ -2,9 +2,6 @@ import _ from 'lodash';
 import log from 'app/lib/log';
 import events from 'events';
 import WorkspaceAxis from 'app/lib/workspace-axis';
-import series from 'app/lib/promise-series';
-import auth from 'app/lib/auth';
-import promisify from 'app/lib/promisify';
 import MachineSettings from 'app/lib/MachineSettings';
 import api from 'app/api';
 import io from 'socket.io-client';
@@ -13,7 +10,6 @@ import store from '../store';
 import analytics from './analytics';
 import Hardware from './hardware';
 import ActiveState from './active-state';
-import isAuthenticated from './user';
 import {
     MASLOW,
     GRBL,
@@ -56,19 +52,6 @@ class Workspaces extends events.EventEmitter {
         delete Workspaces.all[id];
     }
 
-    static connect() {
-        const funcs = isAuthenticated() ? Object.keys(Workspaces.all).map((id) => {
-            return () => promisify(next => {
-                const workspace = Workspaces.all[id];
-                workspace.controller.connect(auth.host, auth.options, () => {
-                    // @see "src/web/containers/Login/Login.jsx"
-                    next();
-                });
-            })();
-        }) : [];
-        return series(funcs);
-    }
-
     static disconnect() {
         Object.keys(Workspaces.all).map((id) => {
             const workspace = Workspaces.all[id];
diff --git a/src/app/store/redux.js b/src/app/store/redux.js
index b46907be7..a83af6926 100644
--- a/src/app/store/redux.js
+++ b/src/app/store/redux.js
@@ -1,6 +1,5 @@
 import { applyMiddleware, combineReducers, compose, createStore } from 'redux';
 import * as Oidc from 'redux-oidc';
-import { authManager } from '../lib/user';
 
 const reducers = {
 };
@@ -26,7 +25,5 @@ export default function configureStore(history, initialState) {
         compose(applyMiddleware(...middleware), ...enhancers)
     );
 
-    Oidc.loadUser(store, authManager);
-
     return store;
 }
diff --git a/src/app/widgets/Connection/index.jsx b/src/app/widgets/Connection/index.jsx
index 001d48cfa..ec4684006 100644
--- a/src/app/widgets/Connection/index.jsx
+++ b/src/app/widgets/Connection/index.jsx
@@ -1,11 +1,10 @@
 import classNames from 'classnames';
-import includes from 'lodash/includes';
 import PropTypes from 'prop-types';
 import React, { PureComponent } from 'react';
 import Space from 'app/components/Space';
 import Widget from 'app/components/Widget';
 import i18n from 'app/lib/i18n';
-import log from 'app/lib/log';
+// import log from 'app/lib/log';
 import Workspaces from 'app/lib/workspaces';
 import WidgetConfig from '../WidgetConfig';
 import Connection from './Connection';
@@ -116,10 +115,6 @@ class ConnectionWidget extends PureComponent {
     }
 
     getInitialState() {
-        if (!includes(this.workspace.controller.loadedControllers, this.workspace.controllerAttributes.type)) {
-            log.error('controller type not loaded', this.workspace.controllerAttributes.type);
-        }
-
         return {
             minimized: this.config.get('minimized', false),
             isFullscreen: false,
diff --git a/src/app/widgets/Visualizer/Visualizer.jsx b/src/app/widgets/Visualizer/Visualizer.jsx
index 41c50f5c6..e76e77bc1 100644
--- a/src/app/widgets/Visualizer/Visualizer.jsx
+++ b/src/app/widgets/Visualizer/Visualizer.jsx
@@ -434,7 +434,8 @@ class Visualizer extends Component {
         cuboid.position.set(
             this.workspace.axes.x.middle,
             this.workspace.axes.y.middle,
-            this.workspace.axes.z.middle);
+            this.workspace.axes.z.middle
+        );
         return cuboid;
     }
 
diff --git a/src/package.json b/src/package.json
index c0bf3beda..14b5335c9 100644
--- a/src/package.json
+++ b/src/package.json
@@ -28,7 +28,6 @@
     "esprima": "~4.0.1",
     "expand-tilde": "~2.0.2",
     "express": "~4.16.4",
-    "express-jwt": "~5.3.1",
     "express-session": "~1.16.1",
     "gcode-parser": "~1.3.6",
     "hogan.js": "~3.0.2",
@@ -37,12 +36,10 @@
     "i18next-express-middleware": "~1.8.0",
     "i18next-node-fs-backend": "~2.1.3",
     "is-electron": "~2.2.0",
-    "jsonwebtoken": "~8.5.1",
     "method-override": "~3.0.0",
     "minimatch": "~3.0.4",
     "mkdirp": "~0.5.1",
     "morgan": "~1.9.1",
-    "range_check": "~1.4.0",
     "rimraf": "~2.6.3",
     "serialport": "~7.1.5",
     "serve-favicon": "~2.5.0",
@@ -50,9 +47,9 @@
     "session-file-store": "~1.2.0",
     "shortid": "~2.2.14",
     "socket.io": "~2.2.0",
-    "socketio-jwt": "~4.5.0",
     "spawn-default-shell": "~2.0.0",
     "superagent": "~3.8.3",
+    "superagent-use": "~0.1.0",
     "uuid": "~3.3.2",
     "watch": "~1.0.2",
     "webappengine": "~1.2.0",
diff --git a/src/server-cli.js b/src/server-cli.js
index d70ed377e..3877fb9e1 100644
--- a/src/server-cli.js
+++ b/src/server-cli.js
@@ -89,8 +89,6 @@ export default () => new Promise((resolve, reject) => {
         verbosity: program.verbose,
         mountPoints: program.mount,
         watchDirectory: program.watchDirectory,
-        accessTokenLifetime: program.accessTokenLifetime,
-        allowRemoteAccess: !!program.allowRemoteAccess,
         controller: program.controller
     }, (err, data) => {
         if (err) {
diff --git a/src/server/access-control.js b/src/server/access-control.js
index a599b5c91..4c00e899a 100644
--- a/src/server/access-control.js
+++ b/src/server/access-control.js
@@ -1,55 +1,135 @@
-import ensureArray from 'ensure-array';
-import _ from 'lodash';
-import rangeCheck from 'range_check';
+// import ensureArray from 'ensure-array';
+// import _ from 'lodash';
+// import rangeCheck from 'range_check';
+import { getUserByToken } from './api/api.users';
 import settings from './config/settings';
-import config from './services/configstore';
-
-const whitelist = [
-    // IPv4 reserved space
-    '127.0.0.0/8', // Used for loopback addresses to the local host
-    '10.0.0.0/8', // Used for local communications within a private network
-    '172.16.0.0/12', // Used for local communications within a private network
-    '192.168.0.0/16', // Used for local communications within a private network
-    '169.254.0.0/16', // Link-local address
-
-    // IPv4 mapped IPv6 address
-    '::ffff:10.0.0.0/8',
-    '::ffff:127.0.0.0/8',
-    '::ffff:172.16.0.0/12',
-    '::ffff:192.168.0.0/16',
-
-    // IPv6 reserved space
-    '::1/128', // loopback address to the local host
-    'fc00::/7', // Unique local address
-    'fe80::/10' // Link-local address
-];
-
-export const authorizeIPAddress = (ipaddr) => new Promise((resolve, reject) => {
-    let pass = !!(settings.allowRemoteAccess);
-    pass = pass || whitelist.some(test => rangeCheck.inRange(ipaddr, test));
-
-    if (pass) {
-        resolve();
-    } else {
-        reject(new Error(`Unauthorized IP address: ipaddr=${ipaddr}`));
+// import config from './services/configstore';
+import urljoin from './lib/urljoin';
+import logger from './lib/logger';
+import {
+    ERR_FORBIDDEN
+} from './constants';
+
+const log = logger('access');
+
+// const localIpAddresses = [
+//     // IPv4 reserved space
+//     '127.0.0.0/8', // Used for loopback addresses to the local host
+//     '10.0.0.0/8', // Used for local communications within a private network
+//     '172.16.0.0/12', // Used for local communications within a private network
+//     '192.168.0.0/16', // Used for local communications within a private network
+//     '169.254.0.0/16', // Link-local address
+
+//     // IPv4 mapped IPv6 address
+//     '::ffff:10.0.0.0/8',
+//     '::ffff:127.0.0.0/8',
+//     '::ffff:172.16.0.0/12',
+//     '::ffff:192.168.0.0/16',
+
+//     // IPv6 reserved space
+//     '::1/128', // loopback address to the local host
+//     'fc00::/7', // Unique local address
+//     'fe80::/10' // Link-local address
+// ];
+
+// export const authorizeIPAddress = (ipaddr) => new Promise((resolve, reject) => {
+//     let pass = !!(settings.allowRemoteAccess);
+//     pass = pass || localIpAddresses.some(test => rangeCheck.inRange(ipaddr, test));
+
+//     if (pass) {
+//         resolve();
+//     } else {
+//         reject(new Error(`Unauthorized IP address: ipaddr=${ipaddr}`));
+//     }
+// });
+
+// export const validateUser = (user) => new Promise((resolve, reject) => {
+//     if (!user) {
+//         reject(new Error('User not found'));
+//     }
+//     const { id = null, name = null } = { ...user };
+
+//     const users = ensureArray(config.get('users'))
+//         .filter(user => _.isPlainObject(user))
+//         .map(user => ({
+//             ...user,
+//             // Defaults to true if not explicitly initialized
+//             enabled: (user.enabled !== false)
+//         }));
+//     const enabledUsers = users.filter(user => user.enabled);
+
+//     if ((enabledUsers.length === 0) || _.find(enabledUsers, { id: id, name: name })) {
+//         resolve();
+//     } else {
+//         reject(new Error(`Unauthorized user: user.username=${name}`));
+//     }
+// });
+
+// "Bearer xyz" => xyz
+const getTokenFromHeader = (authHeader) => {
+    if (!authHeader) {
+        return null;
+    }
+    const authHeaderParts = authHeader.split(' ');
+    const hasBearer = authHeaderParts.length === 2 && authHeaderParts[0].toLowerCase() === 'bearer';
+    return hasBearer ? authHeaderParts[1] : null;
+};
+
+// Return the associated token for a user (or throw an error)
+const validateToken = (token) => {
+    if (!token) {
+        throw new Error('No token provided');
     }
-});
-
-export const validateUser = (user) => new Promise((resolve, reject) => {
-    const { id = null, name = null } = { ...user };
-
-    const users = ensureArray(config.get('users'))
-        .filter(user => _.isPlainObject(user))
-        .map(user => ({
-            ...user,
-            // Defaults to true if not explicitly initialized
-            enabled: (user.enabled !== false)
-        }));
-    const enabledUsers = users.filter(user => user.enabled);
-
-    if ((enabledUsers.length === 0) || _.find(enabledUsers, { id: id, name: name })) {
-        resolve();
-    } else {
-        reject(new Error(`Unauthorized user: user.id=${id}, user.name=${name}`));
+    const user = getUserByToken(token);
+    if (!user) {
+        throw new Error('No user found for token');
     }
-});
+    if (!user.enabled) {
+        throw new Error('The user is not enabled');
+    }
+    return user;
+};
+
+const doesPathRequireAuth = (path) => {
+    const apiRoute = urljoin(settings.route, 'api/');
+    const signinRoute = urljoin(settings.route, 'api/signin');
+    return path.indexOf(apiRoute) === 0 && path.indexOf(signinRoute) !== 0;
+};
+
+// Express middleware for authing a request
+export const authExpressMiddleware = (req, res, next) => {
+    if (!doesPathRequireAuth(req.path)) {
+        // The React SPA does not require auth.
+        next();
+        return;
+    }
+
+    const token = getTokenFromHeader(req.headers.authorization);
+    log.silly('auth api request', token);
+
+    try {
+        validateToken(token);
+    } catch (err) {
+        const ipaddr = req.ip || req.connection.remoteAddress;
+        log.warn(`Forbidden: ipaddr=${ipaddr}, code="${err.code}", message="${err.message}"`);
+        res.status(ERR_FORBIDDEN).end('Forbidden Access');
+        return;
+    }
+
+    next();
+};
+
+export const authSocketIoMiddleware = (socket, next) => {
+    const token = getTokenFromHeader(socket.request.headers.authorization);
+    log.silly('auth socket request', token);
+
+    try {
+        socket.user = validateToken(token);
+    } catch (err) {
+        log.warn(err);
+        next(err);
+        return;
+    }
+
+    next();
+};
diff --git a/src/server/api/api.users.js b/src/server/api/api.users.js
index f20a5315b..b3eb6a0ea 100644
--- a/src/server/api/api.users.js
+++ b/src/server/api/api.users.js
@@ -1,35 +1,71 @@
-import jwt from 'jsonwebtoken';
-import bcrypt from 'bcrypt-nodejs';
+// import jwt from 'jsonwebtoken';
+// import bcrypt from 'bcrypt-nodejs';
 import ensureArray from 'ensure-array';
 import isPlainObject from 'lodash/isPlainObject';
-import find from 'lodash/find';
-import some from 'lodash/some';
-import uuid from 'uuid';
+import superagent from 'superagent';
+import superagentUse from 'superagent-use';
+import _ from 'lodash';
+// import uuid from 'uuid';
 import settings from '../config/settings';
 import logger from '../lib/logger';
 import config from '../services/configstore';
 import { getPagingRange } from './paging';
 import {
-    ERR_BAD_REQUEST,
-    ERR_UNAUTHORIZED,
+    // ERR_BAD_REQUEST,
+    // ERR_UNAUTHORIZED,
     ERR_NOT_FOUND,
-    ERR_CONFLICT,
-    ERR_PRECONDITION_FAILED,
+    // ERR_CONFLICT,
+    // ERR_PRECONDITION_FAILED,
     ERR_INTERNAL_SERVER_ERROR
 } from '../constants';
 
 const log = logger('api:users');
 const CONFIG_KEY = 'users';
 
+const useLocal = false;
+const owsUrl = useLocal ? 'http://localhost:5000' : 'https://openwork.shop';
+
+// Modify request headers and query parameters to prevent caching
+const noCache = (request) => {
+    const now = Date.now();
+    request.set('Cache-Control', 'no-cache');
+    request.set('X-Requested-With', 'XMLHttpRequest');
+
+    if (request.method === 'GET' || request.method === 'HEAD') {
+        // Force requested pages not to be cached by the browser by appending "_={timestamp}" to the GET parameters, this will work correctly with HEAD and GET requests. The parameter is not needed for other types of requests, except in IE8 when a POST is made to a URL that has already been requested by a GET.
+        request._query = ensureArray(request._query);
+        request._query.push(`_=${now}`);
+    }
+};
+
+export const owsreq = superagentUse(superagent);
+owsreq.use(noCache);
+
 // Generate access token
 // https://github.com/auth0/node-jsonwebtoken#jwtsignpayload-secretorprivatekey-options-callback
 // Note. Do not use password and other sensitive fields in the payload
-const generateAccessToken = (payload, secret = settings.secret) => {
-    const token = jwt.sign(payload, secret, {
-        expiresIn: settings.accessTokenLifetime
-    });
+// const generateAccessToken = (payload, secret = settings.secret) => {
+//     const token = jwt.sign(payload, secret, {
+//         expiresIn: settings.accessTokenLifetime
+//     });
+
+//     return token;
+// };
+
+const sanitizeRecord = (record) => {
+    let shouldUpdate = false;
+
+    if (record.enabled === undefined) {
+        record.enabled = true;
+        shouldUpdate = true;
+    }
 
-    return token;
+    if (!Array.isArray(record.tokens)) {
+        record.tokens = [];
+        shouldUpdate = true;
+    }
+
+    return shouldUpdate;
 };
 
 const getSanitizedRecords = () => {
@@ -41,17 +77,12 @@ const getSanitizedRecords = () => {
             records[i] = {};
         }
 
-        const record = records[i];
-
-        if (!record.id) {
-            record.id = uuid.v4();
-            shouldUpdate = true;
+        if (!records[i].username) {
+            // These should not be possible. We need a server ID.
+            continue;
         }
 
-        // Defaults to true
-        if (record.enabled === undefined) {
-            record.enabled = true;
-        }
+        shouldUpdate = sanitizeRecord(records[i]) || shouldUpdate;
     }
 
     if (shouldUpdate) {
@@ -64,75 +95,126 @@ const getSanitizedRecords = () => {
     return records;
 };
 
-export const signin = (req, res) => {
-    const { token = '', name = '', password = '' } = { ...req.body };
+// Helper function for auth to get a user given its token.
+export const getUserByToken = (token) => {
     const users = getSanitizedRecords();
-    const enabledUsers = users.filter(user => {
-        return user.enabled;
-    });
-
-    if (enabledUsers.length === 0) {
-        const user = { id: '', name: '' };
-        const payload = { ...user };
-        const token = generateAccessToken(payload, settings.secret); // generate access token
-        res.send({
-            enabled: false, // session is disabled
-            token: token,
-            name: user.name // empty name
-        });
-        return;
-    }
-
-    if (!token) {
-        const user = find(enabledUsers, { name: name });
-        const valid = user && bcrypt.compareSync(password, user.password);
+    return _.find(users, (u) => u.tokens.includes(token));
+};
 
-        if (!valid) {
-            res.status(ERR_UNAUTHORIZED).send({
-                msg: 'Authentication failed'
+export const signin = (req, res) => {
+    const { token = '' } = { ...req.body };
+    // const users = getSanitizedRecords();
+    // const enabledUsers = users.filter(user => {
+    //     return user.enabled;
+    // });
+    owsreq.use((request) => {
+        request.set('Authorization', 'Bearer ' + token);
+    });
+    owsreq.get(`${owsUrl}/api/users/me`)
+        .send()
+        .end((err, result) => {
+            const body = result ? result.body : {};
+            const record = body && body.record ? body.record : {};
+
+            if (err || !record.username) {
+                res.send({ enabled: false, error: err ?? 'User not found' });
+                return;
+            }
+
+            const users = getSanitizedRecords();
+            let userIdx = _.findIndex(users, { username: record.username });
+
+            if (userIdx < 0) {
+                if (users.length > 1) {
+                    // Cannot sign in with a new user when there are already users.
+                    res.send({ enabled: false, error: 'Wrong user (cannot access this installation)' });
+                    return;
+                }
+                // Implicitly create the user
+                const newUser = { ...record };
+                sanitizeRecord(newUser);
+                userIdx = users.length;
+                users.push(newUser);
+            }
+
+            // Make sure the user has the given token
+            if (users[userIdx].tokens.indexOf(token) < 0) {
+                users[userIdx].tokens.push(token);
+                while (users[userIdx].tokens.length > 100) {
+                    users[userIdx].tokens.shift();
+                }
+                log.debug('Added new token for user', record.username);
+                config.set(CONFIG_KEY, users);
+            }
+
+            res.send({
+                enabled: true,
+                user: record,
             });
-            return;
-        }
-
-        const payload = {
-            id: user.id,
-            name: user.name
-        };
-        const token = generateAccessToken(payload, settings.secret); // generate access token
-        res.send({
-            enabled: true, // session is enabled
-            token: token, // new token
-            name: user.name
         });
-        return;
-    }
-
-    jwt.verify(token, settings.secret, (err, user) => {
-        if (err) {
-            res.status(ERR_INTERNAL_SERVER_ERROR).send({
-                msg: 'Internal server error'
-            });
-            return;
-        }
-
-        const iat = new Date(user.iat * 1000).toISOString();
-        const exp = new Date(user.exp * 1000).toISOString();
-        log.debug(`jwt.verify: user.id=${user.id}, user.name=${user.name}, user.iat=${iat}, user.exp=${exp}`);
 
-        user = find(enabledUsers, { id: user.id, name: user.name });
-        if (!user) {
-            res.status(ERR_UNAUTHORIZED).send({
-                msg: 'Authentication failed'
-            });
-            return;
-        }
-
-        res.send({
-            enabled: true, // session is enabled
-            token: token, // old token
-            name: user.name
-        });
-    });
+    // if (enabledUsers.length === 0) {
+    //     const user = { id: '', name: '' };
+    //     const payload = { ...user };
+    //     const token = generateAccessToken(payload, settings.secret); // generate access token
+    //     res.send({
+    //         enabled: false, // session is disabled
+    //         token: token,
+    //         name: user.name // empty name
+    //     });
+    //     return;
+    // }
+
+    // if (!token) {
+    //     const user = find(enabledUsers, { name: name });
+    //     const valid = user && bcrypt.compareSync(password, user.password);
+
+    //     if (!valid) {
+    //         res.status(ERR_UNAUTHORIZED).send({
+    //             msg: 'Authentication failed'
+    //         });
+    //         return;
+    //     }
+
+    //     const payload = {
+    //         id: user.id,
+    //         name: user.name
+    //     };
+    //     const token = generateAccessToken(payload, settings.secret); // generate access token
+    //     res.send({
+    //         enabled: true, // session is enabled
+    //         token: token, // new token
+    //         name: user.name
+    //     });
+    //     return;
+    // }
+
+    // jwt.verify(token, settings.secret, (err, user) => {
+    //     if (err) {
+    //         res.status(ERR_INTERNAL_SERVER_ERROR).send({
+    //             msg: 'Internal server error'
+    //         });
+    //         return;
+    //     }
+
+    //     const iat = new Date(user.iat * 1000).toISOString();
+    //     const exp = new Date(user.exp * 1000).toISOString();
+    //     log.debug(`jwt.verify: user.id=${user.id}, user.name=${user.name}, user.iat=${iat}, user.exp=${exp}`);
+
+    //     user = find(enabledUsers, { id: user.id, name: user.name });
+    //     if (!user) {
+    //         res.status(ERR_UNAUTHORIZED).send({
+    //             msg: 'Authentication failed'
+    //         });
+    //         return;
+    //     }
+
+    //     res.send({
+    //         enabled: true, // session is enabled
+    //         token: token, // old token
+    //         name: user.name
+    //     });
+    // });
 };
 
 export const fetch = (req, res) => {
@@ -166,62 +248,62 @@ export const fetch = (req, res) => {
     }
 };
 
-export const create = (req, res) => {
-    const {
-        enabled = true,
-        name = '',
-        password = ''
-    } = { ...req.body };
-
-    if (!name) {
-        res.status(ERR_BAD_REQUEST).send({
-            msg: 'The "name" parameter must not be empty'
-        });
-        return;
-    }
-
-    if (!password) {
-        res.status(ERR_BAD_REQUEST).send({
-            msg: 'The "password" parameter must not be empty'
-        });
-        return;
-    }
-
-    const records = getSanitizedRecords();
-    if (find(records, { name: name })) {
-        res.status(ERR_CONFLICT).send({
-            msg: 'The specified user already exists'
-        });
-        return;
-    }
-
-    try {
-        const salt = bcrypt.genSaltSync();
-        const hash = bcrypt.hashSync(password.trim(), salt);
-        const records = getSanitizedRecords();
-        const record = {
-            id: uuid.v4(),
-            mtime: new Date().getTime(),
-            enabled: enabled,
-            name: name,
-            password: hash
-        };
-
-        records.push(record);
-        config.set(CONFIG_KEY, records);
-
-        res.send({ id: record.id, mtime: record.mtime });
-    } catch (err) {
-        res.status(ERR_INTERNAL_SERVER_ERROR).send({
-            msg: 'Failed to save ' + JSON.stringify(settings.rcfile)
-        });
-    }
-};
+// export const create = (req, res) => {
+//     const {
+//         enabled = true,
+//         name = '',
+//         password = ''
+//     } = { ...req.body };
+
+//     if (!name) {
+//         res.status(ERR_BAD_REQUEST).send({
+//             msg: 'The "name" parameter must not be empty'
+//         });
+//         return;
+//     }
+
+//     if (!password) {
+//         res.status(ERR_BAD_REQUEST).send({
+//             msg: 'The "password" parameter must not be empty'
+//         });
+//         return;
+//     }
+
+//     const records = getSanitizedRecords();
+//     if (find(records, { name: name })) {
+//         res.status(ERR_CONFLICT).send({
+//             msg: 'The specified user already exists'
+//         });
+//         return;
+//     }
+
+//     try {
+//         const salt = bcrypt.genSaltSync();
+//         const hash = bcrypt.hashSync(password.trim(), salt);
+//         const records = getSanitizedRecords();
+//         const record = {
+//             id: uuid.v4(),
+//             mtime: new Date().getTime(),
+//             enabled: enabled,
+//             name: name,
+//             password: hash
+//         };
+
+//         records.push(record);
+//         config.set(CONFIG_KEY, records);
+
+//         res.send({ id: record.id, mtime: record.mtime });
+//     } catch (err) {
+//         res.status(ERR_INTERNAL_SERVER_ERROR).send({
+//             msg: 'Failed to save ' + JSON.stringify(settings.rcfile)
+//         });
+//     }
+// };
 
 export const read = (req, res) => {
     const id = req.params.id;
     const records = getSanitizedRecords();
-    const record = find(records, { id: id });
+    const record = _.find(records, { id: id });
 
     if (!record) {
         res.status(ERR_NOT_FOUND).send({
@@ -234,70 +316,70 @@ export const read = (req, res) => {
     res.send({ id, mtime, enabled, name });
 };
 
-export const update = (req, res) => {
-    const id = req.params.id;
-    const records = getSanitizedRecords();
-    const record = find(records, { id: id });
-
-    if (!record) {
-        res.status(ERR_NOT_FOUND).send({
-            msg: 'Not found'
-        });
-        return;
-    }
-
-    const {
-        enabled = record.enabled,
-        name = record.name,
-        oldPassword = '',
-        newPassword = ''
-    } = { ...req.body };
-    const willChangePassword = oldPassword && newPassword;
-
-    // Skip validation for "enabled" and "name"
-
-    if (willChangePassword && !bcrypt.compareSync(oldPassword, record.password)) {
-        res.status(ERR_PRECONDITION_FAILED).send({
-            msg: 'Incorrect password'
-        });
-        return;
-    }
-
-    const inuse = (record) => {
-        return record.id !== id && record.name === name;
-    };
-    if (some(records, inuse)) {
-        res.status(ERR_CONFLICT).send({
-            msg: 'The specified user already exists'
-        });
-        return;
-    }
-
-    try {
-        record.mtime = new Date().getTime();
-        record.enabled = Boolean(enabled);
-        record.name = String(name || '');
-
-        if (willChangePassword) {
-            const salt = bcrypt.genSaltSync();
-            const hash = bcrypt.hashSync(newPassword.trim(), salt);
-            record.password = hash;
-        }
-
-        config.set(CONFIG_KEY, records);
-
-        res.send({ id: record.id, mtime: record.mtime });
-    } catch (err) {
-        res.status(ERR_INTERNAL_SERVER_ERROR).send({
-            msg: 'Failed to save ' + JSON.stringify(settings.rcfile)
-        });
-    }
-};
+// export const update = (req, res) => {
+//     const id = req.params.id;
+//     const records = getSanitizedRecords();
+//     const record = find(records, { id: id });
+
+//     if (!record) {
+//         res.status(ERR_NOT_FOUND).send({
+//             msg: 'Not found'
+//         });
+//         return;
+//     }
+
+//     const {
+//         enabled = record.enabled,
+//         name = record.name,
+//         oldPassword = '',
+//         newPassword = ''
+//     } = { ...req.body };
+//     const willChangePassword = oldPassword && newPassword;
+
+//     // Skip validation for "enabled" and "name"
+
+//     if (willChangePassword && !bcrypt.compareSync(oldPassword, record.password)) {
+//         res.status(ERR_PRECONDITION_FAILED).send({
+//             msg: 'Incorrect password'
+//         });
+//         return;
+//     }
+
+//     const inuse = (record) => {
+//         return record.id !== id && record.name === name;
+//     };
+//     if (some(records, inuse)) {
+//         res.status(ERR_CONFLICT).send({
+//             msg: 'The specified user already exists'
+//         });
+//         return;
+//     }
+
+//     try {
+//         record.mtime = new Date().getTime();
+//         record.enabled = Boolean(enabled);
+//         record.name = String(name || '');
+
+//         if (willChangePassword) {
+//             const salt = bcrypt.genSaltSync();
+//             const hash = bcrypt.hashSync(newPassword.trim(), salt);
+//             record.password = hash;
+//         }
+
+//         config.set(CONFIG_KEY, records);
+
+//         res.send({ id: record.id, mtime: record.mtime });
+//     } catch (err) {
+//         res.status(ERR_INTERNAL_SERVER_ERROR).send({
+//             msg: 'Failed to save ' + JSON.stringify(settings.rcfile)
+//         });
+//     }
+// };
 
 export const __delete = (req, res) => {
     const id = req.params.id;
     const records = getSanitizedRecords();
-    const record = find(records, { id: id });
+    const record = _.find(records, { id: id });
 
     if (!record) {
         res.status(ERR_NOT_FOUND).send({
diff --git a/src/server/app.js b/src/server/app.js
index f423a1f53..365bcfc8a 100644
--- a/src/server/app.js
+++ b/src/server/app.js
@@ -9,12 +9,10 @@ import connectRestreamer from 'connect-restreamer';
 import engines from 'consolidate';
 import errorhandler from 'errorhandler';
 import express from 'express';
-import expressJwt from 'express-jwt';
 import session from 'express-session';
 import 'hogan.js'; // required by consolidate
 import i18next from 'i18next';
 import i18nextBackend from 'i18next-node-fs-backend';
-import jwt from 'jsonwebtoken';
 import methodOverride from 'method-override';
 import morgan from 'morgan';
 import favicon from 'serve-favicon';
@@ -35,14 +33,7 @@ import errclient from './lib/middleware/errclient';
 import errlog from './lib/middleware/errlog';
 import errnotfound from './lib/middleware/errnotfound';
 import errserver from './lib/middleware/errserver';
-import config from './services/configstore';
-import {
-    authorizeIPAddress,
-    validateUser
-} from './access-control';
-import {
-    ERR_FORBIDDEN
-} from './constants';
+import { authExpressMiddleware } from './access-control';
 
 const log = logger('app');
 
@@ -102,20 +93,6 @@ const appMain = () => {
         .use(i18nextLanguageDetector)
         .init(settings.i18next);
 
-    app.use(async (req, res, next) => {
-        try {
-            // IP Address Access Control
-            const ipaddr = req.ip || req.connection.remoteAddress;
-            await authorizeIPAddress(ipaddr);
-        } catch (err) {
-            log.warn(err);
-            res.status(ERR_FORBIDDEN).end('Forbidden Access');
-            return;
-        }
-
-        next();
-    });
-
     // Removes the 'X-Powered-By' header in earlier versions of Express
     app.use((req, res, next) => {
         res.removeHeader('X-Powered-By');
@@ -204,50 +181,7 @@ const appMain = () => {
 
     app.use(i18nextHandle(i18next, {}));
 
-    { // Secure API Access
-        app.use(urljoin(settings.route, 'api'), expressJwt({
-            secret: config.get('secret'),
-            credentialsRequired: true
-        }));
-
-        app.use(async (err, req, res, next) => {
-            let bypass = !(err && (err.name === 'UnauthorizedError'));
-
-            // Check whether the app is running in development mode
-            bypass = bypass || (process.env.NODE_ENV === 'development');
-
-            // Check whether the request path is not restricted
-            const whitelist = [
-                // Also see "src/app/api/index.js"
-                urljoin(settings.route, 'api/signin')
-            ];
-            bypass = bypass || whitelist.some(path => {
-                return req.path.indexOf(path) === 0;
-            });
-
-            if (!bypass) {
-                // Check whether the provided credential is correct
-                const token = _get(req, 'query.token') || _get(req, 'body.token');
-                try {
-                    // User Validation
-                    const user = jwt.verify(token, settings.secret) || {};
-                    await validateUser(user);
-                    bypass = true;
-                } catch (err) {
-                    log.warn(err);
-                }
-            }
-
-            if (!bypass) {
-                const ipaddr = req.ip || req.connection.remoteAddress;
-                log.warn(`Forbidden: ipaddr=${ipaddr}, code="${err.code}", message="${err.message}"`);
-                res.status(ERR_FORBIDDEN).end('Forbidden Access');
-                return;
-            }
-
-            next();
-        });
-    }
+    app.use(authExpressMiddleware);
 
     { // Register API routes with public access
         // Also see "src/app/app.js"
@@ -311,9 +245,9 @@ const appMain = () => {
 
         // Users
         app.get(urljoin(settings.route, 'api/users'), api.users.fetch);
-        app.post(urljoin(settings.route, 'api/users/'), api.users.create);
+        // app.post(urljoin(settings.route, 'api/users/'), api.users.create);
         app.get(urljoin(settings.route, 'api/users/:id'), api.users.read);
-        app.put(urljoin(settings.route, 'api/users/:id'), api.users.update);
+        // app.put(urljoin(settings.route, 'api/users/:id'), api.users.update);
         app.delete(urljoin(settings.route, 'api/users/:id'), api.users.__delete);
 
         // Watch
diff --git a/src/server/config/settings.base.js b/src/server/config/settings.base.js
index 96fccb79d..403d4c778 100644
--- a/src/server/config/settings.base.js
+++ b/src/server/config/settings.base.js
@@ -26,12 +26,6 @@ export default {
     // @see "src/app/index.js"
     secret: secret,
 
-    // Access Token Lifetime
-    accessTokenLifetime: '30d', // https://github.com/zeit/ms
-
-    // Allow Remote Access
-    allowRemoteAccess: false,
-
     // Express view engine
     view: {
         // Set html (w/o dot) as the default extension
diff --git a/src/server/index.js b/src/server/index.js
index c7edad1b1..fb97452f6 100644
--- a/src/server/index.js
+++ b/src/server/index.js
@@ -12,7 +12,6 @@ import httpProxy from 'http-proxy';
 import escapeRegExp from 'lodash/escapeRegExp';
 import isEqual from 'lodash/isEqual';
 import set from 'lodash/set';
-import size from 'lodash/size';
 import trimEnd from 'lodash/trimEnd';
 import uniqWith from 'lodash/uniqWith';
 import webappengine from 'webappengine';
@@ -103,26 +102,6 @@ const createServer = (options, callback) => {
         }
     }
 
-    { // accessTokenLifetime
-        const accessTokenLifetime = options.accessTokenLifetime || config.get('accessTokenLifetime');
-
-        if (accessTokenLifetime) {
-            set(settings, 'accessTokenLifetime', accessTokenLifetime);
-        }
-    }
-
-    { // allowRemoteAccess
-        const allowRemoteAccess = options.allowRemoteAccess || config.get('allowRemoteAccess', false);
-
-        if (allowRemoteAccess) {
-            if (size(config.get('users')) === 0) {
-                log.warn('You\'ve enabled remote access to the server. It\'s recommended to create an user account to protect against malicious attacks.');
-            }
-
-            set(settings, 'allowRemoteAccess', allowRemoteAccess);
-        }
-    }
-
     const { port = 0, host, backlog } = options;
     const mountPoints = uniqWith([
         ...ensureArray(options.mountPoints),
diff --git a/src/server/services/cncengine/CNCEngine.js b/src/server/services/cncengine/CNCEngine.js
index 77db375c8..8e4cc4270 100644
--- a/src/server/services/cncengine/CNCEngine.js
+++ b/src/server/services/cncengine/CNCEngine.js
@@ -2,10 +2,8 @@ import ensureArray from 'ensure-array';
 import noop from 'lodash/noop';
 import SerialPort from 'serialport';
 import socketIO from 'socket.io';
-import socketioJwt from 'socketio-jwt';
 import EventTrigger from '../../lib/EventTrigger';
 import logger from '../../lib/logger';
-import settings from '../../config/settings';
 import store from '../../store';
 import config from '../configstore';
 import taskRunner from '../taskrunner';
@@ -21,10 +19,7 @@ import { MARLIN } from '../../controllers/Marlin/constants';
 import { SMOOTHIE } from '../../controllers/Smoothie/constants';
 import { TINYG } from '../../controllers/TinyG/constants';
 import { MASLOW } from '../../controllers/Maslow/constants';
-import {
-    authorizeIPAddress,
-    validateUser
-} from '../../access-control';
+import { authSocketIoMiddleware } from '../../access-control';
 
 const log = logger('service:cncengine');
 
@@ -95,33 +90,12 @@ class CNCEngine {
             path: '/socket.io'
         });
 
-        this.io.use(socketioJwt.authorize({
-            secret: settings.secret,
-            handshake: true
-        }));
-
-        this.io.use(async (socket, next) => {
-            try {
-                // IP Address Access Control
-                const ipaddr = socket.handshake.address;
-                await authorizeIPAddress(ipaddr);
-
-                // User Validation
-                const user = socket.decoded_token || {};
-                await validateUser(user);
-            } catch (err) {
-                log.warn(err);
-                next(err);
-                return;
-            }
-
-            next();
-        });
+        this.io.use(authSocketIoMiddleware);
 
         this.io.on('connection', (socket) => {
             const address = socket.handshake.address;
-            const user = socket.decoded_token || {};
-            log.debug(`New connection from ${address}: id=${socket.id}, user.id=${user.id}, user.name=${user.name}`);
+            const user = socket.user || {};
+            log.debug(`New connection from ${address}: id=${socket.id}, user.username=${user.username}`);
 
             // Add to the socket pool
             this.sockets.push(socket);
@@ -135,7 +109,7 @@ class CNCEngine {
             });
 
             socket.on('disconnect', () => {
-                log.debug(`Disconnected from ${address}: id=${socket.id}, user.id=${user.id}, user.name=${user.name}`);
+                log.debug(`Disconnected from ${address}: id=${socket.id}, user.username=${user.username}`);
 
                 const controllers = store.get('controllers', {});
                 Object.keys(controllers).forEach(port => {