package server

import (
	"net/http"
	"strings"

	"github.com/gin-gonic/gin"
)

// corsLocalDev 允许本机前端（localhost / 127.0.0.1 任意端口）跨域访问 API 与 OAuth；生产同域部署时可关闭或改为配置白名单。
func corsLocalDev() gin.HandlerFunc {
	return func(c *gin.Context) {
		o := c.GetHeader("Origin")
		if o != "" && isLocalDevOrigin(o) {
			c.Writer.Header().Set("Access-Control-Allow-Origin", o)
			c.Writer.Header().Set("Access-Control-Allow-Credentials", "true")
			c.Writer.Header().Set("Access-Control-Allow-Headers", "Authorization, Content-Type, X-Tenant-ID, X-User-ID, X-Grantor-User-ID")
			c.Writer.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, PATCH, DELETE, OPTIONS")
		}
		if c.Request.Method == http.MethodOptions {
			c.AbortWithStatus(http.StatusNoContent)
			return
		}
		c.Next()
	}
}

func isLocalDevOrigin(o string) bool {
	return strings.HasPrefix(o, "http://localhost:") ||
		strings.HasPrefix(o, "http://127.0.0.1:") ||
		strings.HasPrefix(o, "http://[::1]:")
}