Security: Remove NEXT_PUBLIC_ from server-only route handlers #45
Description
Describe the bug:
Environment variables prefixed with NEXT_PUBLIC_ are being used inside server-only route handlers (e.g., route.ts files).
Because variables with the NEXT_PUBLIC_ prefix are inlined into the client-side JavaScript bundle, this exposes the backend URL (NEXT_PUBLIC_BACKEND_URL) to the browser. These route handlers run exclusively on the server and do not require public environment variables. Using the NEXT_PUBLIC_ prefix in this context unintentionally leaks internal infrastructure URLs to the client.
To Reproduce
- Open any of the affected route.ts files in the PR.
- Locate usage of process.env.NEXT_PUBLIC_BACKEND_URL.
- Build the Next.js application.
- Inspect the client-side bundle or browser DevTools.
- Observe that the backend URL is exposed in the client-side JavaScript.
Expected behavior
Server-only route handlers should use non-public environment variables (e.g., BACKEND_URL) instead of NEXT_PUBLIC_BACKEND_URL. Internal backend URLs should not be exposed to the client-side bundle.
issue pointed out - here