Update Cors Policy for CLQMS

2025-10-21 21:59:15 +07:00 · 2025-10-21 21:59:15 +07:00 · 9deab403d7
commit 9deab403d7
parent b88b587358
2 changed files with 31 additions and 5 deletions
--- a/app/Config/Filters.php
+++ b/app/Config/Filters.php
@ -32,9 +32,9 @@ class Filters extends BaseFilters
        'secureheaders' => SecureHeaders::class,
        'forcehttps'    => ForceHTTPS::class,
        'pagecache'     => PageCache::class,
-        'performance'   => PerformanceMetrics::class,
-        'auth' 			=> \App\Filters\Auth::class,    
+        'performance'   => PerformanceMetrics::class,    
        'cors'          => \App\Filters\Cors::class,
+        'auth' 			=> \App\Filters\Auth::class,
    ];

    /**
@ -74,6 +74,7 @@ class Filters extends BaseFilters
     */
    public array $globals = [
        'before' => [
+            'cors',
            'auth' => [ 'except' => [
 				'auth/*', 'lqms/*', 'key/*', 'api/*'
 			]]
--- a/app/Filters/Cors.php
+++ b/app/Filters/Cors.php
@ -6,21 +6,46 @@ use CodeIgniter\Filters\FilterInterface;

 class Cors implements FilterInterface
 {
+    protected $allowedOrigins = [
+        'http://localhost:5173',
+        'https://clqms01.services-summit.my.id',
+    ];
+
    public function before(RequestInterface $request, $arguments = null)
    {
-        header('Access-Control-Allow-Origin: *');
-        header('Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE');
-        header('Access-Control-Allow-Headers: Content-Type, Authorization, X-Requested-With, X-CSRF-TOKEN');
+        // header('Access-Control-Allow-Origin: *');
+        // header('Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE');
+        // header('Access-Control-Allow-Headers: Content-Type, Authorization, X-Requested-With, X-CSRF-TOKEN');

        // Handle preflight requests
        // if ($request->getMethod() === 'options') {
        //     header('HTTP/1.1 200 OK');
        //     exit();
        // }
+
+        // log_message('debug', 'Cors Filter Triggered First');
+        $origin = $_SERVER['HTTP_ORIGIN'] ?? '';
+        $response = service('response');
+
+        if (in_array($origin, $this->allowedOrigins)) {
+            $response->setHeader('Access-Control-Allow-Origin', $origin);
+            $response->setHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, PATCH, DELETE, OPTIONS');
+            $response->setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization, X-Requested-With, Accept, Origin, Cache-Control, Pragma, X-CSRF-TOKEN');
+            // $response->setHeader('Access-Control-Allow-Headers', '*');
+            $response->setHeader('Access-Control-Allow-Credentials', 'true');
+        }
+
+        // Tangani preflight OPTIONS dengan return response
+        if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
+            // log_message('debug', 'Cors Filter Triggered OK');
+            return $response->setStatusCode(200)->setBody('OK');
+        }
+        // log_message('debug', 'Cors Filter Triggered Second');
    }

    public function after(RequestInterface $request, ResponseInterface $response, $arguments = null)
    {
        // No actions required after the request
+        return $response;
    }
 }