fix Filer startup failure due to JWT on / path #8149 (#8167)

* fix Filer startup failure due to JWT on / path #8149

- Comment out JWT keys in security.toml.example
- Revert Dockerfile.local change that enabled security by default
- Exempt GET/HEAD on / from JWT check for health checks

* refactor: simplify JWT bypass condition as per PR feedback

weed/server/filer_jwt_test.go

@@ -119,7 +119,15 @@ func TestFilerServer_maybeCheckJwtAuthorization_Scoped(t *testing.T) {
 			method:           "GET",
 			path:             "/",
 			isWrite:          false,
-			expectAuthorized: false,
+			expectAuthorized: true,
+		},
+		{
+			name:             "root path without token",
+			token:            "",
+			method:           "GET",
+			path:             "/",
+			isWrite:          false,
+			expectAuthorized: true,
 		},
 		{
 			name:             "exact prefix match",
@@ -134,7 +142,9 @@ func TestFilerServer_maybeCheckJwtAuthorization_Scoped(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			req := httptest.NewRequest(tt.method, tt.path, nil)
-			req.Header.Set("Authorization", "Bearer "+tt.token)
+			if tt.token != "" {
+				req.Header.Set("Authorization", "Bearer "+tt.token)
+			}
 			if authorized := fs.maybeCheckJwtAuthorization(req, tt.isWrite); authorized != tt.expectAuthorized {
 				t.Errorf("expected authorized=%v, got %v", tt.expectAuthorized, authorized)
 			}

weed/server/filer_server_handlers.go

@@ -211,6 +211,10 @@ func OptionsHandler(w http.ResponseWriter, r *http.Request, isReadOnly bool) {
 // maybeCheckJwtAuthorization returns true if access should be granted, false if it should be denied
 func (fs *FilerServer) maybeCheckJwtAuthorization(r *http.Request, isWrite bool) bool {
 
+	if !isWrite && r.URL.Path == "/" {
+		return true
+	}
+
 	var signingKey security.SigningKey
 
 	if isWrite {