Please add SOME authentication

[michaelni]

• I am on the latest ActivityWatch version.

• I have searched the issues of this repo and believe that this is not a duplicate.

• OS name and version: Ubuntu 24.04

• ActivityWatch version: v0.13.2

Describe the bug

Currently aw_server allows any process that can access 127.0.0.1:5600 full access.

This makes the whole security hinge on the impossibility to access 127.0.0.1:5600

To Reproduce

Anything with the functionality of curl can download all data, example
with default setup:

watchers=`curl -s 'http://127.0.0.1:5600/api/0/buckets/' | grep 'aw-watcher[^"]*' -o`
for w in $watchers ; do curl -s "http://127.0.0.1:5600/api/0/buckets/$w/export" >> export ; done

Expected behavior

I expect that curl needs a security cookie or password to access the data

Additional context

There is some discussion already here #32, but it seems to miss the point that this is a problem with the 1 user localhost only setup already
The idea of "Defense in depth" is that you add authentication because its trivial and makes the setup much more secure. Without any authentication a single bug in the browser or in java script, or in the firewall or in ANY application running on the same machiene could allow an attacker to access everything

[github-actions]

Hi there!
As you're new to this repo, please make sure you've used an appropriate issue template and searched for duplicates (it helps us focus on actual development!). We'd also like to suggest that you read our contribution guidelines and our code of conduct.
Thanks a bunch for opening your first issue! 🙏