and everyone but a single user just hears the ocean.

I’m sorry, but this made me bust laughing. This is dead accurate for a few people in my life.

Then I have to troubleshoot and tell them to toggle it off and on again…

And this is exactly the type of support a lot of people just don’t want to do (including me). And the options really boil down to settle for supporting all this, or the risk of public access to unauthenticated endpoints.

They could just fix the endpoints and it’ll be a non-issue. But they won’t because “backwards compatibility”.

There are even other options that I can pre-emptively offer… but they all SUCK.

You can whitelist ip access… ISP ips rotate and are dynamic.
You can setup crowdsec and/or fail2ban… until a user fails to login a few times in a row because users are users and get themselves banned, now you’re back to support role.
VPNs already covered ad nauseam.

There are options… they all suck, especially when the answer of JUST FIX THE ENDPOINT is sitting right there.