As originally noted in https://github.com/gleb-sevruk/pycrunch-engine/issues/28#issuecomment-712984961, pycrunch starts with listening on both localhost (127.0.0.0) and public (0.0.0.0) interfaces. IMHO it is a very insecure default behavior, it should not listen on public interfaces, by default at least.
Even while running on localhost, it should not provide access to itself for any other "user" who can listed on that interface. For that it either should rely on some env variable with token defined which would also then would be provided by the client along with all requests, or when started - output the token so client could pick it up and use in subsequent communication. Or may be, by default, communication could be established via some socket file so only the (original) user with access to that file would be able to connect?
As originally noted in https://github.com/gleb-sevruk/pycrunch-engine/issues/28#issuecomment-712984961, pycrunch starts with listening on both localhost (127.0.0.0) and public (0.0.0.0) interfaces. IMHO it is a very insecure default behavior, it should not listen on public interfaces, by default at least. Even while running on localhost, it should not provide access to itself for any other "user" who can listed on that interface. For that it either should rely on some env variable with token defined which would also then would be provided by the client along with all requests, or when started - output the token so client could pick it up and use in subsequent communication. Or may be, by default, communication could be established via some socket file so only the (original) user with access to that file would be able to connect?