From 2fee9a2311f66d846f605b6888a4d1a7a89d2bc8 Mon Sep 17 00:00:00 2001
From: Nate Kelley <nate@buster.so>
Date: Mon, 11 Aug 2025 16:41:11 -0600
Subject: [PATCH] Update next config to support supabase url

---
 apps/web/next.config.mjs | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/apps/web/next.config.mjs b/apps/web/next.config.mjs
index c516b7627..ae775b010 100644
--- a/apps/web/next.config.mjs
+++ b/apps/web/next.config.mjs
@@ -10,6 +10,15 @@ const apiUrl = new URL(env.NEXT_PUBLIC_API_URL).origin;
 const api2Url = new URL(env.NEXT_PUBLIC_API2_URL).origin;
 const profilePictureURL = 'https://googleusercontent.com';
 
+// Derive Supabase origins (HTTP and WS) from env so CSP allows them in all modes
+const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL;
+const supabaseOrigin = supabaseUrl ? new URL(supabaseUrl).origin : '';
+const supabaseWsOrigin = supabaseUrl
+  ? supabaseUrl.startsWith('https')
+    ? supabaseOrigin.replace('https', 'wss')
+    : supabaseOrigin.replace('http', 'ws')
+  : '';
+
 // Function to create CSP header with dynamic API URLs
 const createCspHeader = (isEmbed = false) => {
   const isDev = process.env.NODE_ENV === 'development';
@@ -42,6 +51,8 @@ const createCspHeader = (isEmbed = false) => {
         "'self'",
         'data:', // Allow data URLs for PDF exports and other data URI downloads
         localDomains,
+        supabaseOrigin,
+        supabaseWsOrigin,
         'https://*.vercel.app',
         'https://*.supabase.co',
         'wss://*.supabase.co',