I run Duplicacy in a Docker container on my unRAID server, and I access it remotely via the web interface. It appears that once you authenticate, it remains authenticated for 1 day (or as defined in the duplicacy.json file).
That’s a bit of a security risk, for my use case, due to me running this on a server and the GUI being available to anyone on my network. This would mean that once I authenticate in the GUI, someone else could access the GUI, create their own destination that they can access, and then run a job to push my files to their destination.
I would ideally want a user to be able to authenticate themselves before they can access the web GUI. But I believe the way this is designed right now, that’s not possible correct? I believe the current config is designed for a user to run locally on their machine and limit the listening to 127.0.0.1, so no one on the network can see the GUI/service. But if I run on a server and listen on 0.0.0.0, anyone on that network (within the VLAN my server is located on) can take control of Duplicacy as long as I’ve previously authenticated.