Updated storage URL env variables.

Author: rafmevis

.github/workflows/production-jobs.yaml

@@ -40,5 +40,6 @@ jobs:
           INTERNAL_API_KEY: ${{ secrets.INTERNAL_API_KEY }}
           DATABASE_URL: ${{ secrets.DATABASE_URL }}
           NEXT_PUBLIC_SUPABASE_URL: ${{ secrets.NEXT_PUBLIC_SUPABASE_URL }}
+          SUPABASE_STORAGE_URL: ${{ secrets.SUPABASE_STORAGE_URL }}
           SUPABASE_SERVICE_KEY: ${{ secrets.SUPABASE_SERVICE_KEY }}
           RESEND_API_KEY: ${{ secrets.RESEND_API_KEY }}

apps/admin/complete.env.example

@@ -4,6 +4,7 @@ NEXT_PUBLIC_API_URL=http://localhost:4000
 # Supabase
 NEXT_PUBLIC_SUPABASE_URL=http://127.0.0.1:54321
 NEXT_PUBLIC_SUPABASE_ANON_KEY=
+NEXT_PUBLIC_STORAGE_URL=
 
 # Google OAuth (for Google sign-in button)
 NEXT_PUBLIC_GOOGLE_CLIENT_ID=

apps/admin/next.config.mjs

@@ -1,10 +1,16 @@
+/**
+ * Next.js configuration for the admin frontend.
+ */
 import "./src/env.mjs";
 
 /** @type {import('next').NextConfig} */
 const supabaseUrl = new URL(process.env.NEXT_PUBLIC_SUPABASE_URL);
+const storageUrl = new URL(
+  process.env.NEXT_PUBLIC_STORAGE_URL ?? process.env.NEXT_PUBLIC_SUPABASE_URL,
+);
 
 const isLocal =
-  supabaseUrl.hostname === "127.0.0.1" || supabaseUrl.hostname === "localhost";
+  storageUrl.hostname === "127.0.0.1" || storageUrl.hostname === "localhost";
 
 /** @type {import('next').NextConfig} */
 const nextConfig = {
@@ -13,6 +19,12 @@ const nextConfig = {
   images: {
     unoptimized: isLocal,
     remotePatterns: [
+      {
+        protocol: storageUrl.protocol.replace(":", ""),
+        hostname: storageUrl.hostname,
+        port: storageUrl.port,
+        pathname: "/storage/**",
+      },
       {
         protocol: supabaseUrl.protocol.replace(":", ""),
         hostname: supabaseUrl.hostname,

apps/admin/src/env.mjs

@@ -1,3 +1,6 @@
+/**
+ * Environment schema and runtime bindings for the admin frontend.
+ */
 import { createEnv } from "@t3-oss/env-nextjs";
 import { z } from "zod";
 
@@ -16,13 +19,15 @@ export const env = createEnv({
     NEXT_PUBLIC_API_URL: z.string().min(1),
     NEXT_PUBLIC_SUPABASE_ANON_KEY: z.string().min(1),
     NEXT_PUBLIC_SUPABASE_URL: z.string().url(),
+    NEXT_PUBLIC_STORAGE_URL: z.string().url().optional(),
     NEXT_PUBLIC_GOOGLE_CLIENT_ID: z.string().min(1),
     NEXT_PUBLIC_APP_URL: z.string().url(),
   },
   runtimeEnv: {
     NEXT_PUBLIC_API_URL: process.env.NEXT_PUBLIC_API_URL,
     NEXT_PUBLIC_SUPABASE_ANON_KEY: process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY,
     NEXT_PUBLIC_SUPABASE_URL: process.env.NEXT_PUBLIC_SUPABASE_URL,
+    NEXT_PUBLIC_STORAGE_URL: process.env.NEXT_PUBLIC_STORAGE_URL,
     NEXT_PUBLIC_GOOGLE_CLIENT_ID: process.env.NEXT_PUBLIC_GOOGLE_CLIENT_ID,
     NEXT_PUBLIC_APP_URL: process.env.NEXT_PUBLIC_APP_URL,
     SUPABASE_SERVICE_KEY: process.env.SUPABASE_SERVICE_KEY,

apps/api/src/trpc/routers/dpp-public/index.ts

@@ -23,6 +23,8 @@ import { resolveThemeConfigImageUrls } from "../../../utils/theme-config-images.
 import { slugSchema } from "../../../schemas/_shared/primitives.js";
 import { createTRPCRouter, publicProcedure } from "../../init.js";
 
+const PRODUCTS_BUCKET = "products";
+
 /**
  * UPID schema: 16-character alphanumeric identifier
  */
@@ -38,6 +40,70 @@ const getThemePreviewSchema = z.object({
   brandSlug: slugSchema,
 });
 
+/**
+ * Escape regex metacharacters for a dynamic path pattern.
+ */
+function escapeRegExp(value: string): string {
+  return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+
+/**
+ * Decode URI path segments safely.
+ */
+function decodeStoragePath(path: string): string {
+  return path
+    .split("/")
+    .map((segment) => {
+      try {
+        return decodeURIComponent(segment);
+      } catch {
+        return segment;
+      }
+    })
+    .join("/");
+}
+
+/**
+ * Extract a bucket object path from known Supabase storage URL shapes.
+ */
+function extractStorageObjectPath(
+  value: string,
+  bucket: string,
+): string | null {
+  const escapedBucket = escapeRegExp(bucket);
+  const pattern = new RegExp(
+    `(?:https?:\\/\\/[^/]+)?\\/storage\\/v1\\/object\\/(?:public|sign)\\/${escapedBucket}\\/(.+?)(?:[?#].*)?$`,
+    "i",
+  );
+  const match = value.match(pattern);
+  if (!match?.[1]) return null;
+  return decodeStoragePath(match[1]);
+}
+
+/**
+ * Resolve snapshot image values to a current public URL on the configured storage domain.
+ */
+function resolveSnapshotProductImageUrl(
+  storageClient: Parameters<typeof getPublicUrl>[0],
+  imageValue: string | null | undefined,
+): string | null {
+  if (!imageValue) return null;
+
+  const normalizedImage =
+    extractStorageObjectPath(imageValue, PRODUCTS_BUCKET) ?? imageValue;
+  if (
+    normalizedImage.startsWith("http://") ||
+    normalizedImage.startsWith("https://")
+  ) {
+    return normalizedImage;
+  }
+
+  return (
+    getPublicUrl(storageClient, PRODUCTS_BUCKET, normalizedImage) ??
+    normalizedImage
+  );
+}
+
 export const dppPublicRouter = createTRPCRouter({
   /**
    * Fetch theme data for screenshot preview.
@@ -115,24 +181,11 @@ export const dppPublicRouter = createTRPCRouter({
         ? getPublicUrl(ctx.supabase, "dpp-themes", result.theme.stylesheetPath)
         : null;
 
-      // Resolve product image in the snapshot to public URL
-      let productImageUrl: string | null = null;
-      const snapshotImage = result.snapshot.productAttributes?.image;
-      if (snapshotImage && typeof snapshotImage === "string") {
-        // Check if it's already a full URL or a storage path
-        if (
-          snapshotImage.startsWith("http://") ||
-          snapshotImage.startsWith("https://")
-        ) {
-          productImageUrl = snapshotImage;
-        } else {
-          productImageUrl = getPublicUrl(
-            ctx.supabase,
-            "products",
-            snapshotImage,
-          );
-        }
-      }
+      // Resolve product image in the snapshot to a current public URL.
+      const productImageUrl = resolveSnapshotProductImageUrl(
+        ctx.supabase,
+        result.snapshot.productAttributes?.image,
+      );
 
       // Resolve image paths in themeConfig to full URLs
       const resolvedThemeConfig = resolveThemeConfigImageUrls(
@@ -266,23 +319,11 @@ export const dppPublicRouter = createTRPCRouter({
         ? getPublicUrl(ctx.supabase, "dpp-themes", result.theme.stylesheetPath)
         : null;
 
-      // Resolve product image in the snapshot to public URL
-      let productImageUrl: string | null = null;
-      const snapshotImage = result.snapshot.productAttributes?.image;
-      if (snapshotImage && typeof snapshotImage === "string") {
-        if (
-          snapshotImage.startsWith("http://") ||
-          snapshotImage.startsWith("https://")
-        ) {
-          productImageUrl = snapshotImage;
-        } else {
-          productImageUrl = getPublicUrl(
-            ctx.supabase,
-            "products",
-            snapshotImage,
-          );
-        }
-      }
+      // Resolve product image in the snapshot to a current public URL.
+      const productImageUrl = resolveSnapshotProductImageUrl(
+        ctx.supabase,
+        result.snapshot.productAttributes?.image,
+      );
 
       // Resolve image paths in themeConfig to full URLs
       const resolvedThemeConfig = resolveThemeConfigImageUrls(

apps/app/next.config.mjs

@@ -1,10 +1,16 @@
+/**
+ * Next.js configuration for the app frontend.
+ */
 import "./src/env.mjs";
 
 /** @type {import('next').NextConfig} */
 const supabaseUrl = new URL(process.env.NEXT_PUBLIC_SUPABASE_URL);
+const storageUrl = new URL(
+  process.env.NEXT_PUBLIC_STORAGE_URL ?? process.env.NEXT_PUBLIC_SUPABASE_URL,
+);
 
 const isLocal =
-  supabaseUrl.hostname === "127.0.0.1" || supabaseUrl.hostname === "localhost";
+  storageUrl.hostname === "127.0.0.1" || storageUrl.hostname === "localhost";
 
 /** @type {import('next').NextConfig} */
 const nextConfig = {
@@ -20,6 +26,12 @@ const nextConfig = {
   images: {
     unoptimized: isLocal,
     remotePatterns: [
+      {
+        protocol: storageUrl.protocol.replace(":", ""),
+        hostname: storageUrl.hostname,
+        port: storageUrl.port,
+        pathname: "/storage/**", // allow both public and sign URLs
+      },
       {
         protocol: supabaseUrl.protocol.replace(":", ""),
         hostname: supabaseUrl.hostname,

apps/app/src/env.mjs

@@ -1,3 +1,6 @@
+/**
+ * Environment schema and runtime bindings for the app frontend.
+ */
 import { createEnv } from "@t3-oss/env-nextjs";
 import { z } from "zod";
 
@@ -21,12 +24,14 @@ const env = createEnv({
     NEXT_PUBLIC_API_URL: z.string(),
     NEXT_PUBLIC_SUPABASE_ANON_KEY: z.string(),
     NEXT_PUBLIC_SUPABASE_URL: z.string(),
+    NEXT_PUBLIC_STORAGE_URL: z.string().url().optional(),
   },
   runtimeEnv: {
     NEXT_PUBLIC_OPENPANEL_CLIENT_ID:
       process.env.NEXT_PUBLIC_OPENPANEL_CLIENT_ID,
     NEXT_PUBLIC_SUPABASE_ANON_KEY: process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY,
     NEXT_PUBLIC_SUPABASE_URL: process.env.NEXT_PUBLIC_SUPABASE_URL,
+    NEXT_PUBLIC_STORAGE_URL: process.env.NEXT_PUBLIC_STORAGE_URL,
     OPENPANEL_SECRET_KEY: process.env.OPENPANEL_SECRET_KEY,
     PORT: process.env.PORT,
     RESEND_API_KEY: process.env.RESEND_API_KEY,

apps/app/src/utils/storage-urls.ts

@@ -47,11 +47,11 @@ export function buildPublicUrl(
 ): string | null {
   if (!path) return null;
 
-  const supabaseUrl = getSupabaseUrl();
+  const storageBaseUrl = getSupabaseUrl();
   const encodedPath = encodePath(path);
 
-  if (supabaseUrl) {
-    return `${supabaseUrl}/storage/v1/object/public/${bucket}/${encodedPath}`;
+  if (storageBaseUrl) {
+    return `${storageBaseUrl}/storage/v1/object/public/${bucket}/${encodedPath}`;
   }
 
   // Fallback for SSR or missing env var
@@ -192,9 +192,13 @@ export function resolveThemeConfigImageUrls<T>(themeConfig: T): T {
 // ============================================================================
 
 /**
- * Get the Supabase URL from environment.
- * NEXT_PUBLIC_ env vars are available on both client and server.
+ * Get the public storage base URL from environment.
+ * Falls back to the Supabase URL when a dedicated storage URL is not configured.
  */
 export function getSupabaseUrl(): string | null {
-  return process.env.NEXT_PUBLIC_SUPABASE_URL ?? null;
+  return (
+    process.env.NEXT_PUBLIC_STORAGE_URL ??
+    process.env.NEXT_PUBLIC_SUPABASE_URL ??
+    null
+  );
 }

apps/storage/.gitignore

@@ -0,0 +1 @@
+.vercel

packages/db/src/utils/storage-url.ts

@@ -13,6 +13,7 @@
  * Bucket name for product images.
  */
 export const PRODUCTS_BUCKET = "products";
+const STORAGE_PUBLIC_PREFIX = "/storage/v1/object/public/";
 
 // =============================================================================
 // URL BUILDING
@@ -28,6 +29,46 @@ function encodePath(path: string): string {
     .join("/");
 }
 
+/**
+ * Escape regex metacharacters for safe dynamic patterns.
+ */
+function escapeRegExp(value: string): string {
+  return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+
+/**
+ * Decode URI path segments safely.
+ */
+function decodePath(path: string): string {
+  return path
+    .split("/")
+    .map((segment) => {
+      try {
+        return decodeURIComponent(segment);
+      } catch {
+        return segment;
+      }
+    })
+    .join("/");
+}
+
+/**
+ * Extract a storage object path from a full public storage URL.
+ */
+function extractStoragePathFromPublicUrl(
+  value: string,
+  bucket: string,
+): string | null {
+  const escapedBucket = escapeRegExp(bucket);
+  const pattern = new RegExp(
+    `${STORAGE_PUBLIC_PREFIX}${escapedBucket}/(.+?)(?:[?#].*)?$`,
+    "i",
+  );
+  const match = value.match(pattern);
+  if (!match?.[1]) return null;
+  return decodePath(match[1]);
+}
+
 /**
  * Build a public URL for a product image.
  *
@@ -41,15 +82,27 @@ export function buildProductImageUrl(
 ): string | null {
   if (!imagePath) return null;
 
-  // If already a full URL, return as-is
-  if (isFullUrl(imagePath)) return imagePath;
+  // Normalize legacy full public storage URLs back to a storage path first.
+  const extractedStoragePath = extractStoragePathFromPublicUrl(
+    imagePath,
+    PRODUCTS_BUCKET,
+  );
+  const normalizedPath = extractedStoragePath ?? imagePath;
+
+  // Preserve external full URLs as-is.
+  if (isFullUrl(normalizedPath)) return normalizedPath;
 
   // If no storage base URL available, return the path as-is
   // (fallback for backward compatibility)
-  if (!storageBaseUrl) return imagePath;
+  if (!storageBaseUrl) {
+    return extractedStoragePath ? imagePath : normalizedPath;
+  }
 
-  const encodedPath = encodePath(imagePath);
-  return `${storageBaseUrl}/storage/v1/object/public/${PRODUCTS_BUCKET}/${encodedPath}`;
+  const normalizedStorageBaseUrl = storageBaseUrl.endsWith("/")
+    ? storageBaseUrl.slice(0, -1)
+    : storageBaseUrl;
+  const encodedPath = encodePath(normalizedPath);
+  return `${normalizedStorageBaseUrl}/storage/v1/object/public/${PRODUCTS_BUCKET}/${encodedPath}`;
 }
 
 /**
@@ -65,8 +118,12 @@ export function isFullUrl(value: string | null | undefined): boolean {
  * Works in both Node.js and edge contexts.
  */
 export function getSupabaseUrlFromEnv(): string | null {
-  // Try common environment variable names
+  // Prefer dedicated storage URL overrides, then fall back to Supabase URL.
   return (
-    process.env.SUPABASE_URL ?? process.env.NEXT_PUBLIC_SUPABASE_URL ?? null
+    process.env.SUPABASE_STORAGE_URL ??
+    process.env.NEXT_PUBLIC_STORAGE_URL ??
+    process.env.SUPABASE_URL ??
+    process.env.NEXT_PUBLIC_SUPABASE_URL ??
+    null
   );
 }