I have a following use-case. I install ghost 2.X on AWS in automated fashion. After installation is done there is no admin user and I need to create one through GUI. It does not look too secure though. After deployment the blog is already live and theoretically anyone could just open admin page and create the default admin user (yes, I know, what are the odds, but still - this is a security issue).
Is there a way to create such user during installation/configuration in an automated fashion or provide credentials (hased) through configuration file? I didn’t find anything in documentation.
Hi there. Do you mean anyone who has login details can log in and create an admin user? You’ll be pleased to know that Ghost already performs password hashing as well as other security measures to ensure your Ghost install remains secure Ghost Security & Privacy
Hi! Thanks for your reply.
What I ment is something different. When I install a fresh copy of Ghost and go to http://example.com/ghost I am being asked to create a very first admin account. It is theoretically possible (I know, very unlikely when I do it for my own blog and I can work around this) that someone could just open that page befor me and create that admin account.
I know this is very far fetched but I would personally felt way better if I was able to somehow pre-program that user before website goes public. And it could also be helpful for automated processes and setting up blogs on behalf of someone else.
You can automate booting Ghost to initialise the DB and then calling the setup API endpoint to finalise setup so that the window of opportunity is a few ms.