Right? There are a lot of very complex suggestions for this simple problem.

To simplify even more, based on the use case, it would probably be fine to just share an inline user:pass@site.com link. That would avoid even needing the user to fill a basic auth form.

Why are we putting generic pictures behind auth?

I get paranoia, but come on. I'd rather open it, and monitor for strange activity/fail2ban to automate banning malicious actors.

Don't overthink it. We're sharing pictures, not government secrets.

You introduced 'generic', as far as I can tell? Maybe they're personal, family, including children, etc. all sorts of things perfectly reasonable not to want 'on the internet' but to share with somebody else specific (by using the internet, sure).

Guess they should use a service like google photos to share them with individuals. Nobody is whitelisting dynamic IP addresses thinking it's secure.

... Or, they could use a private server with http simple auth, and be perfectly secure without having to give all their personal photos to Google