Introducing SuperMongol 2 πŸ’₯ In-App Admin Panel for Meteor

Introducing SuperMongol 2, an admin tool from Meteor Toys

More info:

SuperMongol recently launched as a quick and easy way to gain administrative capabilites for your Meteor applications. By integrating tightly into the Meteor stack, it allows you to impersonate accounts and edit their data in seconds. This makes customer support and bug repairs very easy.

However, SuperMongol launched as an MVP, just to guage that there is at least some interest in the tool. There have also been many questions about how it protects against brute force attacks. So, I am happy to announce a more refined version of the package that features an improved codebase and clearly shows how SuperMongol secures its functionality.

Improving Security with a Gateway Method

SuperMongol aims to be secure through simplicity. The package only exposes only one API into the server, which requires to requestor to pass two tests before running any operation.

First, Password Protection: You can set a password on the server that end user will have to type in to use SuperMongol. The session lasts on a per-browser-tab basis, which means there is no accidents of people forgetting to sign out, and multiple sessions could be ran across different browser tabs.

Only once Rate Limiting rules are met and the correct password is used, would the SuperMongol functions run.

Second, Rate Limiting: First, the API can only be called 5 times per 5 seconds, and of course, you can change the settings for this right in the source code. Combined with a strong password, this should provide a strong protection against brute force attacks.

Rate limiting has been recently built into Meteor. For more information, look into DDPRateLimiter.

Configuring SuperMongol is Super Easy

First and foremost, SuperMongol must be used with SSL to prevent your password from leaking from the client. With that in place, you just need to run a simple configuration on the server:

// Client Only

SuperMongol = {
  validation: function () {
    if (Meteor.user().isAdmin) {
      return true;
  collections: ["Lists","Todos","Collaborators"],

// Server Only

SuperMongol = {
  password: "Password123 lol jk",
  requestLimit: 5,
  timeout: 5000

This probably doesn’t need to be said, but you should make sure the server code only runs on the server, and not on the client or a shared file.

Try SuperMongol Today

The package is now better than every, and in less than 15 minutes, you can equip your company with whole new powers. And of course, stay tuned for SuperMongol 3, which will come as a free update to all SuperMongol customers.

The price for SuperMongol is just $59 per website, and for a limited time, take 15% off with the coupon β€œsuperduper”.

Thanks for your support,


I’ve just learned that the coupon code was not working because the Gumroad page needed coupons enabled. It has been corrected now :slight_smile: