localhost locked "Security Protection" isn't secure

[dskvr]

While I know it seems to be possible, it is incredibly frustrating to get this working in a headless environment. I have spent the day attempting to use this in a docker-compose only workflow all day, and I keep hitting blockers.

...
  env: 
    AUTH_ENABLED: true
    AUTH_PRESET_USERNAME: username
    AUTH_PRESET_PASSWORD: password
...

^ username/password above are placeholders. I tried AUTH_ENABLED: 1 as well.

still get

Notes

1. I would guess that the majority of people are going to be installing this headless; assuming headless by default would be advantageous. In particular, to make this easily installable on anyone's Start9, Umbrel or Unraid a clear path to headless operation would be great.
2. Lifecycle scripts are great, but impeding the ability to deploy sensibly using docker-compose all for a lifecycle management script is probably not the best idea.
3. Not sure how robust that security measure is, as it can probably be spoofed (I'll let you know because that's my only path forward)

[dskvr]

Should have just spoofed it from the beginning, took me about 45 seconds.

Instructions to bypass "Security Protection"

1. Install socat
2. replace "YOURIP" with the target IP and run:

export IP=YOURIP
socat TCP-LISTEN:3087,fork,reuseaddr TCP:$IP:3087

3. Win.

Conclusion

nuke the client-side local gating. because it's not even remotely secure, assume headless by default.

[dialmaster]

I believe the problem was that you used the incorrect syntax in your docker-compose, it should be environment not env, eg:
https://docs.docker.com/compose/how-tos/environment-variables/set-environment-variables/

Like this:

environment:
  AUTH_ENABLED: "true"
  AUTH_PRESET_USERNAME: "username"
  AUTH_PRESET_PASSWORD: "password"

I've tested this fairly extensively and not ran into the issue that you are describing.

Also note that you must meet the minimum length requirements for username and password, see the .env.example:

# These must meet the following validation criteria or they will be ignored:
#   Username: 3-32 characters (no leading/trailing spaces)
#   Password: 8-64 characters

[dskvr]

@dialmaster It actually was environment in my docker-compose, it doesn't work. Tried it again now.

Any "security feature" that is bypassed with simple spoofing isn't low priority, it's p0