Vaultwarden app setup issue with TinyAuth (+ suggestion for new feature)

[RealAntithesis]

I'm trying to set up Vaultwarden with NPMPlus using TinyAuth for authentication. This is working fine, except when it comes to the mobile and Windows app, which can't work with the TinyAuth forward_auth. I'm understanding that the usual way to get around this is to add a path.allow label to the Vaultwarden compose file, such as: tinyauth.apps.MyVaultWardenAppSubDomain.path.allow: ^/(api|identity|wl)/

The problem with this (apart from the obvious reduction in security which relies on the app being properly secure and unexploitable), is that this seems to bypass authentication for all of Vaultwarden, including browser and mobile/Window apps. I at least wanted to keep the TinyAuth authentication for the browser. I'm guessing the "api" path is used by both the browser and app versions of Vaultwarden since the above behaviour happens if I only have ^/api as the path.allow.

Is there a way to bypass authentication for just the mobile and Windows Vaultwarden apps with TinyAuth? Even better would be a feature to allow the user to login via a browser to authenticate their IP, which would then allow that device IP to access protected apps as if they had authenticated via TinyAuth, and then blocked when the user logs out of TinyAuth in the browser (and/or after a certain user-definable time has elapsed). I'm not sure if this adds further security concerns, but it sounds like a decent solution for non-browser-based client apps rather than permanently bypassing this authentication layer. I think there is also a proposal here along similar lines.

In the meantime, I'm not sure what I'm doing wrong with the path.allow method above.