feat: add Vercel BotID protection and fix billing origin fallback

Set up BotID bot detection on sensitive API routes (share, billing,
account, webhook-config). Adds client instrumentation, server-side
checkBotId() guards, and withBotId next config wrapper.

Also fix checkout/portal session routes to fall back to request origin
when NEXT_PUBLIC_APP_URL is not set, and center SVG icon properly.

1 files changed, 7 insertions, 7 deletions

diff --git a/apps/web/app/api/billing/create-checkout-session/route.ts b/apps/web/app/api/billing/create-checkout-session/route.ts
index 4eaa08c..1cba7a1 100644
--- a/apps/web/app/api/billing/create-checkout-session/route.ts
+++ b/apps/web/app/api/billing/create-checkout-session/route.ts
@@ -3,8 +3,14 @@ import { createSupabaseServerClient } from "@/lib/supabase/server"
 import { createSupabaseAdminClient } from "@/lib/supabase/admin"
 import { getStripe } from "@/lib/stripe"
 import { rateLimit } from "@/lib/rate-limit"
+import { checkBotId } from "botid/server"
 
 export async function POST(request: Request) {
+  const botVerification = await checkBotId()
+  if (botVerification.isBot) {
+    return NextResponse.json({ error: "access denied" }, { status: 403 })
+  }
+
   const supabaseClient = await createSupabaseServerClient()
   const {
     data: { user },
@@ -128,13 +134,7 @@ export async function POST(request: Request) {
     }
   }
 
-  const origin = process.env.NEXT_PUBLIC_APP_URL?.replace(/\/$/, "")
-  if (!origin) {
-    return NextResponse.json(
-      { error: "application URL is not configured" },
-      { status: 500 }
-    )
-  }
+  const origin = process.env.NEXT_PUBLIC_APP_URL?.replace(/\/$/, "") || new URL(request.url).origin
 
   const checkoutSession = await getStripe().checkout.sessions.create({
     customer: stripeCustomerIdentifier,