Can authentication be tied to cookies/sessions?

I run Duplicacy in a Docker container on my unRAID server, and I access it remotely via the web interface. It appears that once you authenticate, it remains authenticated for 1 day (or as defined in the duplicacy.json file).

That’s a bit of a security risk, for my use case, due to me running this on a server and the GUI being available to anyone on my network. This would mean that once I authenticate in the GUI, someone else could access the GUI, create their own destination that they can access, and then run a job to push my files to their destination.

I would ideally want a user to be able to authenticate themselves before they can access the web GUI. But I believe the way this is designed right now, that’s not possible correct? I believe the current config is designed for a user to run locally on their machine and limit the listening to 127.0.0.1, so no one on the network can see the GUI/service. But if I run on a server and listen on 0.0.0.0, anyone on that network (within the VLAN my server is located on) can take control of Duplicacy as long as I’ve previously authenticated.

After you authenticate by entering the administration password, the web GUI places a cookie in your browser that serves as the token to access all pages. Other users from the same network won’t be able to authenticate because they don’t have the token.

That’s not the behavior I see.

When I start my container I’m asked to authenticate on both my laptop and my phone. If I authenticate on my laptop, then reload the page on my phone, my phone shows me as authenticated. I don’t see a cookie being set in my browser.

This page makes it sound like once you authenticate, it stores a token on the server (not the client’s browser):
https://duplicacy.com/guide.html

Duplicacy Web Edition will store the secure token derived from this password, instead of the password in plaintext, in the OS-specific password storage such as Keychain or Keyring. If such a password storage isn’t available, Duplicacy Web Edition will ask you to enter this password on every restart.

That mimics the behavior I’m seeing, Once I authenticate, I only have to enter my password after I restart the service. But once authenticated, every device on my network has access without authenticating.

What version of the web UI are you using (see the bottom of the Dashboard tab)? I don’t think authentication with the administration password has worked like what I think you’re describing since the web UI was still in beta.

Note that the administration password to access the web UI and master password referred to in the quoted piece of documentation you linked to are separate things. See the setting tab for configuring an administration password and session expiration.

My current webui is:

Duplicacy Web Edition 1.2.0

Is this configurable in some way? Maybe the person that created the container passed a parameter that sets authentication back to an older method?

You only set the master password, which is used to encrypt credentials needed to access storages.

To prevent others on the same network from accessing the web GUI, you need to set the administration password, in the Setting page.

2 Likes

That did it, thank you so much @gchen!