I almost did, the fact you couldn't intercept login was the biggest problem for me. I don't see how any public facing real app can not be interested in that event. There was no bruteforce protection possible otherwise.
We should probably make that default in a subsequent release.
there's still too much disclosure than I would like