From bf0763544908a461e2738942bd9cde3766c16324 Mon Sep 17 00:00:00 2001
From: Pedro Rodrigues <pedro.rodrigues@supabase.io>
Date: Wed, 10 Dec 2025 14:00:54 +0000
Subject: [PATCH 1/4] feat(functions): add SUPABASE_PUBLIC_URL env var for Edge
 Functions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add SUPABASE_PUBLIC_URL environment variable that contains the external-facing
URL (e.g., http://127.0.0.1:54321) for use in client-facing responses.

This is needed for OAuth-protected Edge Functions (like MCP servers) that need
to return public URLs in OAuth metadata and WWW-Authenticate headers, while
still using the internal Docker URL (SUPABASE_URL) for server-to-server calls.

In production, SUPABASE_PUBLIC_URL won't exist, so Edge Functions should
fall back to SUPABASE_URL which is already the public URL.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 internal/functions/serve/serve.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/internal/functions/serve/serve.go b/internal/functions/serve/serve.go
index 9819a181d..8ca6a397f 100644
--- a/internal/functions/serve/serve.go
+++ b/internal/functions/serve/serve.go
@@ -128,6 +128,7 @@ func ServeFunctions(ctx context.Context, envFilePath string, noVerifyJWT *bool,
 	}
 	env = append(env,
 		fmt.Sprintf("SUPABASE_URL=http://%s:8000", utils.KongAliases[0]),
+		"SUPABASE_PUBLIC_URL="+utils.Config.Api.ExternalUrl,
 		"SUPABASE_ANON_KEY="+utils.Config.Auth.AnonKey.Value,
 		"SUPABASE_SERVICE_ROLE_KEY="+utils.Config.Auth.ServiceRoleKey.Value,
 		"SUPABASE_DB_URL="+dbUrl,

From 3762772cf9d328b96d5fca64545dda4fa5ba1cd2 Mon Sep 17 00:00:00 2001
From: Cemal Kilic <cemalkilic96@gmail.com>
Date: Fri, 17 Oct 2025 13:02:55 +0300
Subject: [PATCH 2/4] feat: handle oauth-protected-resource for edge functions

---
 internal/start/start.go           |  2 +-
 internal/start/templates/kong.yml | 22 ++++++++++++++++++++++
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/internal/start/start.go b/internal/start/start.go
index cf4bc68fd..f48af7783 100644
--- a/internal/start/start.go
+++ b/internal/start/start.go
@@ -489,7 +489,7 @@ EOF
 					"KONG_DATABASE=off",
 					"KONG_DECLARATIVE_CONFIG=/home/kong/kong.yml",
 					"KONG_DNS_ORDER=LAST,A,CNAME", // https://github.com/supabase/cli/issues/14
-					"KONG_PLUGINS=request-transformer,cors",
+					"KONG_PLUGINS=request-transformer,cors,pre-function",
 					fmt.Sprintf("KONG_PORT_MAPS=%d:8000", utils.Config.Api.Port),
 					// Need to increase the nginx buffers in kong to avoid it rejecting the rather
 					// sizeable response headers azure can generate
diff --git a/internal/start/templates/kong.yml b/internal/start/templates/kong.yml
index 0c185eb6e..3a39b79c6 100644
--- a/internal/start/templates/kong.yml
+++ b/internal/start/templates/kong.yml
@@ -228,6 +228,28 @@ services:
           - /pooler/v2/
     plugins:
       - name: cors
+      - name: request-transformer
+        config:
+          replace:
+            headers:
+              - "Authorization: {{ .BearerToken }}"
+  - name: oauth-protected-resource
+    _comment: "OAuth Protected Resource: /.well-known/oauth-protected-resource/functions/v1/<whatever> -> /functions/v1/<whatever>/.well-known/oauth-protected-resource"
+    url: http://{{ .EdgeRuntimeId }}:8081/
+    routes:
+      - name: oauth-protected-resource
+        strip_path: false
+        paths:
+          - /.well-known/oauth-protected-resource/functions/v1/
+    plugins:
+      - name: cors
+      - name: pre-function
+        config:
+          access:
+            - |
+              local uri = kong.request.get_path()
+              local new_uri = uri:gsub("^/.well%-known/oauth%-protected%-resource/functions/v1", "") .. "/.well-known/oauth-protected-resource"
+              kong.service.request.set_path(new_uri)
   - name: mcp
     _comment: "MCP: /mcp -> http://studio:3000/api/mcp"
     url: http://{{ .StudioId }}:3000/api/mcp

From 877692421c7b7c91d9e2dffddca4e29ea0adc30f Mon Sep 17 00:00:00 2001
From: Pedro Rodrigues <pedro.rodrigues@supabase.io>
Date: Wed, 10 Dec 2025 13:15:04 +0000
Subject: [PATCH 3/4] fix: extract function name correctly in
 oauth-protected-resource redirect
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The previous implementation appended /.well-known/oauth-protected-resource
to the entire remaining path, causing requests like
/.well-known/oauth-protected-resource/functions/v1/func-name/mcp to fail.

Now correctly extracts just the function name and ignores sub-paths.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 internal/start/templates/kong.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/internal/start/templates/kong.yml b/internal/start/templates/kong.yml
index 3a39b79c6..51de9e091 100644
--- a/internal/start/templates/kong.yml
+++ b/internal/start/templates/kong.yml
@@ -234,7 +234,7 @@ services:
             headers:
               - "Authorization: {{ .BearerToken }}"
   - name: oauth-protected-resource
-    _comment: "OAuth Protected Resource: /.well-known/oauth-protected-resource/functions/v1/<whatever> -> /functions/v1/<whatever>/.well-known/oauth-protected-resource"
+    _comment: "OAuth Protected Resource: /.well-known/oauth-protected-resource/functions/v1/<function-name>/* -> /<function-name>/.well-known/oauth-protected-resource"
     url: http://{{ .EdgeRuntimeId }}:8081/
     routes:
       - name: oauth-protected-resource
@@ -248,7 +248,9 @@ services:
           access:
             - |
               local uri = kong.request.get_path()
-              local new_uri = uri:gsub("^/.well%-known/oauth%-protected%-resource/functions/v1", "") .. "/.well-known/oauth-protected-resource"
+              local path_after_prefix = uri:gsub("^/.well%-known/oauth%-protected%-resource/functions/v1/", "")
+              local function_name = path_after_prefix:match("^([^/]+)")
+              local new_uri = "/" .. function_name .. "/.well-known/oauth-protected-resource"
               kong.service.request.set_path(new_uri)
   - name: mcp
     _comment: "MCP: /mcp -> http://studio:3000/api/mcp"

From 74ef3f67dab378963c20c9e64329055f2dc4f415 Mon Sep 17 00:00:00 2001
From: Pedro Rodrigues <pedro.rodrigues@supabase.io>
Date: Fri, 19 Dec 2025 12:20:48 +0000
Subject: [PATCH 4/4] revert: remove SUPABASE_PUBLIC_URL env var
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The OAuth protected resource redirect feature doesn't require
SUPABASE_PUBLIC_URL. Edge Functions can handle URL resolution
themselves using custom env vars like PUBLIC_URL if needed.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 internal/functions/serve/serve.go | 1 -
 1 file changed, 1 deletion(-)

diff --git a/internal/functions/serve/serve.go b/internal/functions/serve/serve.go
index 8ca6a397f..9819a181d 100644
--- a/internal/functions/serve/serve.go
+++ b/internal/functions/serve/serve.go
@@ -128,7 +128,6 @@ func ServeFunctions(ctx context.Context, envFilePath string, noVerifyJWT *bool,
 	}
 	env = append(env,
 		fmt.Sprintf("SUPABASE_URL=http://%s:8000", utils.KongAliases[0]),
-		"SUPABASE_PUBLIC_URL="+utils.Config.Api.ExternalUrl,
 		"SUPABASE_ANON_KEY="+utils.Config.Auth.AnonKey.Value,
 		"SUPABASE_SERVICE_ROLE_KEY="+utils.Config.Auth.ServiceRoleKey.Value,
 		"SUPABASE_DB_URL="+dbUrl,