Currently duplicacy-web allows anyone to connect to the web interface with the admin credentials, including another user on the same machine if listening on loopback, or literaly anyone else if listening on other interfaces, after admin logged in into the instance. And because duplicacy has read access to everything by design that is a pretty glaring security hole.
In addition, there is no way to logout from the interface so once logged in it forever exposes everything to anyone passing by who cares to look.
- Implementing logout button would be a bare minimum to reduce amount of time it is completely unprotected.
- Session key would also make sense
- 1 and 2 is pointless without HTTPS (passwords can be sniffed and session key stolen)
- So, we need HTTPS, albeit with self-signed certificate.
Is any of this planned?
In the meantime, possible workaround could be to lock it down in a container and access UI via SSH port forwarding, but that is a lot of hassle and I did not think it through completely to be sure that no other issues come up.