[Bug]: endpoint /token does not require credentials

[BigNerd]

crawl4ai version

0.7.6

Expected Behavior

When running crawl4ai from the docker image with a security config of security: enabled: true jwt_enabled: true I would expect it is required to present a secret to the endpoint POST /token in order to obtain a temporary access token.

Current Behavior

The endpoint POST /token can be called without any credentials and it still returns a valid token that can subsequently be used to call protected endpoints such as POST /crawl. This renders the security useless in my understanding, because anyone with network access to the API alone can use it.

In previous versions we had CRAWL4AI_API_TOKEN to protect the API from unauthorised usage. But sadly, this simple but effective mechanism has been removed from later versions.

Is this reproducible?

Yes

Inputs Causing the Bug

Steps to Reproduce

Build the Docker image using a config.yml with 
security:
  enabled: true
  jwt_enabled: true

Run the Docker image

Go to http://127.0.0.1:11235/docs#/default/get_token_token_post

Obtain a token

Use the token to call POST /crawl

Code snippets

deploy/docker/server.py at https://github.com/unclecode/crawl4ai/blob/main/deploy/docker/server.py#L288 does not require any credentials to obtain a valid JWT token for subsequent access to protected endpoints:

@app.post("/token")
async def get_token(req: TokenRequest):
    if not verify_email_domain(req.email):
        raise HTTPException(400, "Invalid email domain")
    token = create_access_token({"sub": req.email})
    return {"email": req.email, "access_token": token, "token_type": "bearer"}

OS

macOS

Python version

3.10

Browser

Firefox

Browser version

No response

Error logs & Screenshots (if applicable)

No response