AI endpoint accepts anonymous requests

The chat endpoint can call OpenAI without login or a per-user quota.

Why this matters

Attackers can automate calls to your model endpoint and run up spend without creating an account.

Evidence

src/app/api/chat/route.ts:9

production evidence

1  POST /api/chat returned 200 for anonymous request.
2  No auth helper or session check found in route handler.
3  No rate limit, quota, or spend guard was detected before the model call.

Suggested fix

Require a server-side session, enforce per-user rate limits, and cap daily token spend before calling the model provider.

Paste into Cursor

Update src/app/api/chat/route.ts to require a Supabase session before model calls. Add a per-user rate limit and daily token budget check. Return 401 for anonymous users and 429 when limits are exceeded.