feat(api): implement rate limiting and SSRF protection across endpoints

- Added rate limiting to `reaction-users`, `search`, and `image-proxy` APIs to prevent abuse.
- Introduced SSRF protection in `image-proxy` to block requests to private IP ranges.
- Enhanced `link-preview` to use `linkedom` for HTML parsing and improved meta tag extraction.
- Refactored authentication checks in various pages to utilize middleware for cleaner code.
- Improved JWT key loading with error handling and security warnings for production.
- Updated `authFetch` utility to handle token refresh more efficiently with deduplication.
- Enhanced rate limiting utility to trust proxy headers from known sources.
- Numerous layout / design changes

src/utils/jwt.js

@@ -3,14 +3,30 @@ import fs from 'fs';
 import path from 'path';
 import os from 'os';
 
-const secretFilePath = path.join(
+// JWT keys location - can be configured via environment variable
+// In production, prefer using a secret management service (Vault, AWS Secrets Manager, etc.)
+const secretFilePath = import.meta.env.JWT_KEYS_PATH || path.join(
   os.homedir(),
   '.config',
   'api_jwt_keys.json'
 );
 
+// Warn if using default location in production
+if (!import.meta.env.JWT_KEYS_PATH && !import.meta.env.DEV) {
+  console.warn(
+    '[SECURITY WARNING] JWT_KEYS_PATH not set. Using default location ~/.config/api_jwt_keys.json. ' +
+    'Consider using a secret management service in production.'
+  );
+}
+
 // Load and parse keys JSON once at startup
-const keyFileData = JSON.parse(fs.readFileSync(secretFilePath, 'utf-8'));
+let keyFileData;
+try {
+  keyFileData = JSON.parse(fs.readFileSync(secretFilePath, 'utf-8'));
+} catch (err) {
+  console.error(`[CRITICAL] Failed to load JWT keys from ${secretFilePath}:`, err.message);
+  throw new Error('JWT keys file not found or invalid. Set JWT_KEYS_PATH environment variable.');
+}
 
 export function verifyToken(token) {
   if (!token) {