Fix: Update CSP for external services

The Content Security Policy (CSP) was updated to include necessary domains for external services like `exchangerate-api.com` and `tawk.to`. This resolves "Refused to connect" errors related to these services and ensures they function correctly.

Author: lovable-dev[bot]

api/stripe-payment-methods.js

@@ -28,7 +28,18 @@ export default async function handler(req, res) {
       type: 'card'
     });
 
-    res.status(200).json({ paymentMethods: paymentMethods.data });
+    // Format the payment methods to match the expected structure  
+    const formattedMethods = paymentMethods.data.map(pm => ({
+      id: pm.id,
+      type: pm.type,
+      last4: pm.card?.last4 || '',
+      brand: pm.card?.brand || '',
+      exp_month: pm.card?.exp_month || 0,
+      exp_year: pm.card?.exp_year || 0,
+      isDefault: customer.invoice_settings?.default_payment_method === pm.id
+    }));
+
+    res.status(200).json({ paymentMethods: formattedMethods });
   } catch (error) {
     console.error('Error fetching payment methods:', error);
     res.status(500).json({ error: error.message });

src/components/PaymentMethodSelector.tsx

@@ -78,7 +78,7 @@ export const PaymentMethodSelector = ({
                           )}
                         </div>
                         <p className="text-sm text-slate-600">
-                          Expire {card.exp_month.toString().padStart(2, '0')}/{card.exp_year}
+                          Expire {card.exp_month?.toString().padStart(2, '0') || '00'}/{card.exp_year || '0000'}
                         </p>
                       </div>
                     </div>

vercel.json

@@ -32,7 +32,7 @@
         },
         {
           "key": "Content-Security-Policy",
-          "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.gpteng.co https://embed.tawk.to https://va.tawk.to; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https:; connect-src 'self' https://api.stripe.com https://refspring-default-rtdb.europe-west1.firebasedatabase.app https://identitytoolkit.googleapis.com https://securetoken.googleapis.com https://firestore.googleapis.com https://us-central1-refspring-8c3ac.cloudfunctions.net wss://embed.tawk.to; frame-src https://js.stripe.com https://embed.tawk.to; object-src 'none'; base-uri 'self'; upgrade-insecure-requests"
+          "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.gpteng.co https://embed.tawk.to https://va.tawk.to; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https:; connect-src 'self' https://api.stripe.com https://refspring-default-rtdb.europe-west1.firebasedatabase.app https://identitytoolkit.googleapis.com https://securetoken.googleapis.com https://firestore.googleapis.com https://us-central1-refspring-8c3ac.cloudfunctions.net https://api.exchangerate-api.com https://va.tawk.to https://embed.tawk.to wss://embed.tawk.to; frame-src https://js.stripe.com https://embed.tawk.to; object-src 'none'; base-uri 'self'; upgrade-insecure-requests"
         }
       ]
     }