feat(api): implement rate limiting and SSRF protection across endpoints

- Added rate limiting to `reaction-users`, `search`, and `image-proxy` APIs to prevent abuse.
- Introduced SSRF protection in `image-proxy` to block requests to private IP ranges.
- Enhanced `link-preview` to use `linkedom` for HTML parsing and improved meta tag extraction.
- Refactored authentication checks in various pages to utilize middleware for cleaner code.
- Improved JWT key loading with error handling and security warnings for production.
- Updated `authFetch` utility to handle token refresh more efficiently with deduplication.
- Enhanced rate limiting utility to trust proxy headers from known sources.
- Numerous layout / design changes

src/config.js

@@ -23,7 +23,7 @@ export const RADIO_API_URL = "https://radio-api.codey.lol";
 export const socialLinks = {
 };
 
-export const MAJOR_VERSION = "0.4"
+export const MAJOR_VERSION = "0.5"
 export const RELEASE_FLAG = null;
 export const ENVIRONMENT = import.meta.env.DEV ? "Dev" : "Prod";
 
@@ -51,4 +51,23 @@ export const WHITELABELS = {
 // Subsite mapping: host -> site path
 export const SUBSITES = {
   'req.boatson.boats': '/subsites/req',
-};
+};
+
+// Protected routes configuration
+// Routes listed here require authentication - middleware will redirect to /login if not authenticated
+// Can be a string (just auth required) or object with roles array for role-based access
+export const PROTECTED_ROUTES = [
+  '/radio',
+  { path: '/lighting', roles: ['lighting'] },
+  { path: '/discord-logs', roles: ['discord'] },
+  '/memes',
+  '/TRip',
+  '/TRip/requests',
+];
+
+// Routes that should skip auth check entirely (public routes)
+export const PUBLIC_ROUTES = [
+  '/',
+  '/login',
+  '/api/',
+];