Security: Remove NEXT_PUBLIC_ from server-only route handlers

[nishika26]

Describe the bug:
Environment variables prefixed with NEXT_PUBLIC_ are being used inside server-only route handlers (e.g., route.ts files).
Because variables with the NEXT_PUBLIC_ prefix are inlined into the client-side JavaScript bundle, this exposes the backend URL (NEXT_PUBLIC_BACKEND_URL) to the browser. These route handlers run exclusively on the server and do not require public environment variables. Using the NEXT_PUBLIC_ prefix in this context unintentionally leaks internal infrastructure URLs to the client.

To Reproduce

• Open any of the affected route.ts files in the PR.
• Locate usage of process.env.NEXT_PUBLIC_BACKEND_URL.
• Build the Next.js application.
• Inspect the client-side bundle or browser DevTools.
• Observe that the backend URL is exposed in the client-side JavaScript.

Expected behavior
Server-only route handlers should use non-public environment variables (e.g., BACKEND_URL) instead of NEXT_PUBLIC_BACKEND_URL. Internal backend URLs should not be exposed to the client-side bundle.

issue pointed out - here

[Ayush8923]

This has been completed. Closing this issue.
PR reference: #75