Fix: restrict electron-embedded sync server to bind only to configured hostname for security (#5050)

* comment sync server

* Fix: ensure electron-embedded sync server binds to localhost to limit access

* lint and release notes

* rename

* remove hostname config and revert docker yaml

packages/desktop-electron/index.ts

@@ -219,6 +219,7 @@ async function startSyncServer() {
 
     const syncServerConfig = {
       port: globalPrefs.syncServerConfig?.port || 5007,
+      hostname: 'localhost',
       ACTUAL_SERVER_DATA_DIR: path.resolve(
         process.env.ACTUAL_DATA_DIR!,
         'actual-server',
@@ -252,6 +253,7 @@ async function startSyncServer() {
     const envVariables: Env = {
       ...process.env, // required
       ACTUAL_PORT: `${syncServerConfig.port}`,
+      ACTUAL_HOSTNAME: `${syncServerConfig.hostname}`,
       ACTUAL_SERVER_FILES: `${syncServerConfig.ACTUAL_SERVER_FILES}`,
       ACTUAL_USER_FILES: `${syncServerConfig.ACTUAL_USER_FILES}`,
       ACTUAL_DATA_DIR: `${syncServerConfig.ACTUAL_SERVER_DATA_DIR}`,

upcoming-release-notes/5050.md

@@ -0,0 +1,6 @@
+---
+category: Bugfix
+authors: [ShreyasKallingal]
+---
+
+Restrict Electron-embedded sync server to bind only to configured hostname.