fix: P2 security hardening and tier limit parity

Webhook routes switched from admin client to server client (RLS).
Added DNS-resolution SSRF protection for webhook URLs with private IP
blocking. Added tier limit parity check script.

1 files changed, 10 insertions, 3 deletions

diff --git a/apps/web/app/api/webhook-config/test/route.ts b/apps/web/app/api/webhook-config/test/route.ts
index ae17c5b..81c3942 100644
--- a/apps/web/app/api/webhook-config/test/route.ts
+++ b/apps/web/app/api/webhook-config/test/route.ts
@@ -1,9 +1,9 @@
 import { NextResponse } from "next/server"
 import { createHmac } from "crypto"
 import { createSupabaseServerClient } from "@/lib/supabase/server"
-import { createSupabaseAdminClient } from "@/lib/supabase/admin"
 import { TIER_LIMITS, type SubscriptionTier } from "@asa-news/shared"
 import { rateLimit } from "@/lib/rate-limit"
+import { validateWebhookUrl } from "@/lib/validate-webhook-url"
 import { checkBotId } from "botid/server"
 
 export async function POST() {
@@ -26,8 +26,7 @@ export async function POST() {
     return NextResponse.json({ error: "too many requests" }, { status: 429 })
   }
 
-  const adminClient = createSupabaseAdminClient()
-  const { data: profile } = await adminClient
+  const { data: profile } = await supabaseClient
     .from("user_profiles")
     .select(
       "tier, webhook_url, webhook_secret, webhook_enabled"
@@ -52,6 +51,14 @@ export async function POST() {
     )
   }
 
+  const validationResult = await validateWebhookUrl(profile.webhook_url)
+  if (!validationResult.valid) {
+    return NextResponse.json(
+      { error: validationResult.error },
+      { status: 400 }
+    )
+  }
+
   const testPayload = {
     event: "test",
     timestamp: new Date().toISOString(),