fix(middleware): handle malformed NEXT_PUBLIC_APP_URL env var

Author: adriannoes

src/middleware.ts

@@ -20,10 +20,12 @@ const ratelimit =
     : null
 
 export async function middleware(request: NextRequest) {
-  const allowedOriginAsap =
-    process.env.NEXT_PUBLIC_ASAP_PROTOCOL_URL || "https://asap-protocol.vercel.app"
-  const allowedOriginSelf =
-    process.env.NEXT_PUBLIC_APP_URL || "https://open-agentic-flow.vercel.app"
+  const allowedOriginAsap = process.env.NEXT_PUBLIC_ASAP_PROTOCOL_URL?.startsWith("http")
+    ? process.env.NEXT_PUBLIC_ASAP_PROTOCOL_URL
+    : "https://asap-protocol.vercel.app"
+  const allowedOriginSelf = process.env.NEXT_PUBLIC_APP_URL?.startsWith("http")
+    ? process.env.NEXT_PUBLIC_APP_URL
+    : "https://open-agentic-flow.vercel.app"
   const requestOrigin = request.headers.get("origin")
 
   // For /api routes, reject non-allowlisted cross-origin requests