<?php
declare(strict_types=1);

$origin = $_SERVER['HTTP_ORIGIN'] ?? '';

$allowedOrigins = [
  'https://skizagroundsuite.com',
  'http://localhost:5174',
  'http://127.0.0.1:5174',
  'http://192.168.88.59:5174',
];

if ($origin && in_array($origin, $allowedOrigins, true)) {
  header("Access-Control-Allow-Origin: $origin");
  header("Access-Control-Allow-Credentials: true");
  header("Vary: Origin");
} else {
  // If browser sent an Origin and it's not allowed, block explicitly
  if ($origin) {
    http_response_code(403);
    exit;
  }
}

// Allow methods + headers
header("Access-Control-Allow-Methods: GET, POST, PUT, PATCH, DELETE, OPTIONS");
header("Access-Control-Allow-Headers: Content-Type, Accept, Authorization, X-Requested-With");
header("Access-Control-Max-Age: 86400");

// Preflight exits early
if (($_SERVER['REQUEST_METHOD'] ?? '') === 'OPTIONS') {
  http_response_code(204);
  exit;
}