<?php

namespace App\Http\Middleware;

use Closure;
use Illuminate\Http\Request;
use Symfony\Component\HttpFoundation\Response;

class CorsMiddleware_old
{
    /**
     * Handle an incoming request.
     *
     * @param  \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response)  $next
     */
    public function handle(Request $request, Closure $next): Response
    {
        // Apply CORS for frontend (main + demo): api (including api/login), sanctum, logos, images, menu paths
        $path = $request->path();
        $shouldApplyCors = $request->is('api')
            || $request->is('api/*')
            || $path === 'login'
            || $request->is('sanctum/*')
            || $request->is('frontpos/*')
            || $request->is('pos/*')
            || $request->is('front/*')
            || $request->is('images')
            || $request->is('images/*')
            || $request->is('logos')
            || $request->is('logos/*')
            || $request->is('menu_itmes')
            || $request->is('menu_itmes/*')
            || $request->is('menu-items')
            || $request->is('menu-items/*')
            || $request->is('menu-itmes')
            || $request->is('menu-itmes/*');
        
        // Handle preflight OPTIONS request
        if ($request->getMethod() === 'OPTIONS' && $shouldApplyCors) {
            $response = response('', 200);
        } else {
            $response = $next($request);
        }

        // Only apply CORS headers to specified routes
        if (!$shouldApplyCors) {
            return $response;
        }

        $origin = $request->headers->get('Origin');
        $origin = $origin ? rtrim($origin, '/') : null;

        $allowedOrigins = [
            'http://localhost:3000',
            'http://localhost:5173',
            'http://127.0.0.1:3000',
            'http://127.0.0.1:5173',
            'http://localhost:8000',
            'http://127.0.0.1:8000',
            'http://pandamarts.co.uk',
            'https://pandamarts.co.uk',
            'http://www.pandamarts.co.uk',
            'https://www.pandamarts.co.uk',
            'http://demo.pandamarts.co.uk',
            'https://demo.pandamarts.co.uk',
        ];

        // Use specific origin only when allowed; never use * (breaks credentials).
        $isProduction = app()->environment('production');
        $allowedOrigin = null;
        if ($origin) {
            if (in_array($origin, $allowedOrigins)) {
                $allowedOrigin = $origin;
            } elseif ($isProduction && preg_match('/^https?:\/\/(www\.|demo\.)?pandamarts\.co\.uk\/?$/', $origin)) {
                $allowedOrigin = $origin;
            }
        }

        // Only set Allow-Origin when we have an allowed origin; never set *
        if ($allowedOrigin !== null) {
            $response->headers->set('Access-Control-Allow-Origin', $allowedOrigin);
            $response->headers->set('Access-Control-Allow-Credentials', 'true');
        }
        $response->headers->set('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, PATCH, OPTIONS');
        $response->headers->set('Access-Control-Allow-Headers', 'Origin, Content-Type, Accept, Authorization, X-Requested-With, X-CSRF-TOKEN, X-XSRF-TOKEN');
        $response->headers->set('Access-Control-Max-Age', '86400');
        $response->headers->set('Access-Control-Expose-Headers', 'Authorization, Content-Type');

        return $response;
    }
}