No Authentication endpoint can be called by anyone

Anyone who knows this endpoint can call it.
No JWT, no session, no API key, no role check.

<img width="970" height="811" alt="Image" src="https://github.com/user-attachments/assets/2da27c3e-ae5b-41a0-a280-d6bfbdaef44c" />

A random user can approve or reject any loan