I don't blame anybody! I feel very sorry for you! it sucks big time... (I just complained and I am sad about your hinting to intentional being "bad actors" and your blame on open source projects and communities. ) anyway...
PROXY_AUTH: false is set for many apps for a reason because otherwise they can not be accessed and/or their APIs does not work. see:
https://github.com/search?q=repo%3Agetumbrel%2Fumbrel-apps%20PROXY_AUTH_ADD&type=code
it's not even about good/bad UX. It is how those things work.
In that combination of running this publicly and not completing the setup this can be fatal as we sadly had to see.
We made a PR to change this in the albyhub umbrel app (about which also some complained because it broke things) - the umbrel app is community maintained.
Afaik LNBits umbrel says it will not be changed (I don't know the details, but I think this is valid as many things and apps would not work then)
This problem might exist on other deployments, too. And it is also not unique to umbrel: if you install some wordpress and don't complete the setup then some attacker might be able to take over the server.
PROXY_AUTH: false is set for many apps for a reason because otherwise they can not be accessed and/or their APIs does not work. see:
https://github.com/search?q=repo%3Agetumbrel%2Fumbrel-apps%20PROXY_AUTH_ADD&type=code
it's not even about good/bad UX. It is how those things work.
In that combination of running this publicly and not completing the setup this can be fatal as we sadly had to see.
We made a PR to change this in the albyhub umbrel app (about which also some complained because it broke things) - the umbrel app is community maintained.
Afaik LNBits umbrel says it will not be changed (I don't know the details, but I think this is valid as many things and apps would not work then)
This problem might exist on other deployments, too. And it is also not unique to umbrel: if you install some wordpress and don't complete the setup then some attacker might be able to take over the server.