Sub domain take-over by default

[code-bunny]

When launching a new locomotive instance the default config allows a first come first served ownership of a new subdomain. This is useful for trying out locomotive on a new host as it means we can create the first account for a subdomain and this becomes the admin for that domain, but if we have locomotive running on a server where many subdomains(or domains) are connected to that then a bad actor can get in before you.

I suggest a remedy is to set config.enable_registration = false by default and have the first (super) admin created on a first-run wizard or via the console.

[jacoblyw]

config.enable_registration = false is a good idea.

What I do on first run is pre-populate the MongoDB with a super-user (via an authenticated MongoDB insert), and then set the registration to false. This happens before Locomotive is even installed. I also 404 redirect /locomotive for all domains (except for a admin domain with extra login procedures) which should help avoid login attempts.