Also, I did not test this, but if that email sending API endpoint isn't secured, it seems like it would be very easy to spoof a password reset email and make it appear to come from any site using supertokens