Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sub domain take-over by default #1386

Open
code-bunny opened this issue Jun 9, 2021 · 1 comment
Open

Sub domain take-over by default #1386

code-bunny opened this issue Jun 9, 2021 · 1 comment

Comments

@code-bunny
Copy link

When launching a new locomotive instance the default config allows a first come first served ownership of a new subdomain. This is useful for trying out locomotive on a new host as it means we can create the first account for a subdomain and this becomes the admin for that domain, but if we have locomotive running on a server where many subdomains(or domains) are connected to that then a bad actor can get in before you.

I suggest a remedy is to set config.enable_registration = false by default and have the first (super) admin created on a first-run wizard or via the console.
@jacoblyw
Copy link

config.enable_registration = false is a good idea.

What I do on first run is pre-populate the MongoDB with a super-user (via an authenticated MongoDB insert), and then set the registration to false. This happens before Locomotive is even installed. I also 404 redirect /locomotive for all domains (except for a admin domain with extra login procedures) which should help avoid login attempts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@code-bunny @jacoblyw