feat: #177 Secure DEV_TOKEN proxy with NODE_ENV guard and add .env.ex…

[amankoli09]

Closes #177

🔒 Security Fix: DEV_TOKEN Proxy Fallback Restriction

This PR addresses a critical security vulnerability where the API proxy could authorize unauthenticated requests using a development token in production/staging environments.

Problem

The proxy had a DEV_TOKEN fallback that would be used for all requests if set, regardless of environment. If TEST_ACCESS_TOKEN was accidentally deployed on Render or production, every request from unauthenticated users would be authorized, leaking:

• Transaction history
• Personal notifications
• Sensitive user data
• Any protected API endpoints

Solution

✅ Added NODE_ENV === "development" guard to DEV_TOKEN fallback
✅ Added security warning to .env.example
✅ Added detailed JSDoc documentation in proxy source

Changes

• app/api/proxy/[...path]/route.ts: NODE_ENV guard + security documentation
• .env.example: Security warning comment on TEST_ACCESS_TOKEN

Testing

• Local dev (NODE_ENV=development): DEV_TOKEN works as before ✓
• Production (NODE_ENV=production): DEV_TOKEN ignored, requests fail 401 ✓
• Existing authenticated requests: Unaffected ✓

Acceptance Criteria

• DEV_TOKEN only active when NODE_ENV === "development"
• .env.example has clear warning comment
• Security implications documented in source
• Local dev workflows unaffected

[drips-wave]

@amankoli09 Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits