jacoblyw
commented
2 years ago config.enable_registration = false is a good idea.
What I do on first run is pre-populate the MongoDB with a super-user (via an authenticated MongoDB insert), and then set the registration to false. This happens before Locomotive is even installed. I also 404 redirect /locomotive for all domains (except for a admin domain with extra login procedures) which should help avoid login attempts.
When launching a new locomotive instance the default config allows a first come first served ownership of a new subdomain. This is useful for trying out locomotive on a new host as it means we can create the first account for a subdomain and this becomes the admin for that domain, but if we have locomotive running on a server where many subdomains(or domains) are connected to that then a bad actor can get in before you.
I suggest a remedy is to set
config.enable_registration = falseby default and have the first (super) admin created on a first-run wizard or via the console.