Refactor token media-type API to be token-scoped and safer

[tom2drum]

Description and Related Issue(s)

This pull request refactors the media-type API endpoint to be token-instance–scoped and backed by on-chain metadata, reducing the risk of arbitrary URL request forgery and tightening how we fetch and classify NFT media. It also hardens some node API endpoints (CSRF and Prometheus metrics) to only respond when explicitly enabled and improves metadata/analytics mappings for the new media-type route.

Proposed Changes

• Media-type API refactor

  • Remove the generic /api/media-type endpoint that accepted arbitrary url query parameters.
  • Introduce /api/tokens/[hash]/instances/[id]/media-type which:
    • Looks up the token instance via general:token_instance and derives the media URL from animation_url or image_url.
    • Validates the field parameter (animation_url or image_url) and returns a safe fallback when data is missing.
    • Performs a HEAD request against the resolved media URL with an AbortController-based timeout and Prometheus timing via metrics.apiRequestDuration.
    • Classifies the media as video, image, html, or undefined based on the content-type header.
  • Update ui/shared/nft/useNftMediaInfo and NftMedia Playwright tests to use the new token-scoped media-type route and the TokenInstance.token metadata (address hash and id) when building media-type URLs.
  • Extend TokenInstance in types/api/token with a token: TokenInfo field so the UI can construct the scoped media-type requests.

• Metadata and analytics updates

  • Update lib/metadata/getPageOgType, lib/metadata/templates/title, and lib/metadata/templates/description to use /api/tokens/[hash]/instances/[id]/media-type instead of /api/media-type for OG/meta templates.
  • Update lib/mixpanel/getPageType to track the new token-instance media-type endpoint as “Node API: Token instance media type”.
  • Regenerate nextjs/nextjs-routes.d.ts to remove the old static /api/media-type route and add the dynamic /api/tokens/[hash]/instances/[id]/media-type route type.

• Node API hardening

  • Update /api/csrf to return 404 when proxying is not needed (isNeedProxy() is false), instead of always forwarding.
  • Update /api/metrics to return 404 when PROMETHEUS_METRICS_ENABLED is not true, only exposing metrics when explicitly enabled.

• Environment variables

  • No changes to environment variables were introduced in this pull request, and docs/ENVS.md remains unchanged.

Breaking or Incompatible Changes

• The legacy /api/media-type endpoint has been removed; any consumers relying on /node-api/media-type?url=... must migrate to /node-api/tokens/[hash]/instances/[id]/media-type?field=animation_url|image_url, where hash and id correspond to the token instance and the field selects which media URL to inspect.
• Analytics and metadata mappings now reference the new token-instance media-type route; any hard-coded references to the old path should be updated accordingly.

Additional Information

• The new token-scoped media-type handler uses token instance data as the source of truth for media URLs, which mitigates request forgery risks by avoiding arbitrary external URLs provided directly by the client.
• Playwright tests for NftMedia have been updated to reflect the new API shape, including realistic token address hashes and IDs wired through the TokenInstance fixture data.

Checklist for PR author

• I have tested these changes locally.
• I added tests to cover any new functionality, following this guide
• Whenever I fix a bug, I include a regression test to ensure that the bug does not reappear silently.
• If I have added, changed, renamed, or removed an environment variable
  • I updated the list of environment variables in the documentation
  • I made the necessary changes to the validator script according to the guide
  • I added "ENVs" label to this pull request