So I am a happy convert from plex. Then install was smooth despite coming in where the service start command isnt working. I set up everything in less that a couple hours and I was off. Then I made user accounts and started making sure the externally facing site was routed correctly and so on. Then I realized as I confirmed that the externally facing site was up, anyone could stumble upon my server and use the accounts. I confirmed this by manually connecting to my server using the android application and selecting a user.
So my question here is can we add a separation between internal and external accounts? Perhaps we could force users to create a password or pin(better than nothing) when they first connect to the server?