From 9deab403d783b7f9c030e80f4654291a128c5fcd Mon Sep 17 00:00:00 2001
From: mikael-zakaria <mzi3721s@gmail.com>
Date: Tue, 21 Oct 2025 21:59:15 +0700
Subject: [PATCH] Update Cors Policy for CLQMS

---
 app/Config/Filters.php |  5 +++--
 app/Filters/Cors.php   | 31 ++++++++++++++++++++++++++++---
 2 files changed, 31 insertions(+), 5 deletions(-)

diff --git a/app/Config/Filters.php b/app/Config/Filters.php
index 686e867..7752f4c 100644
--- a/app/Config/Filters.php
+++ b/app/Config/Filters.php
@@ -32,9 +32,9 @@ class Filters extends BaseFilters
         'secureheaders' => SecureHeaders::class,
         'forcehttps'    => ForceHTTPS::class,
         'pagecache'     => PageCache::class,
-        'performance'   => PerformanceMetrics::class,
-        'auth' 			=> \App\Filters\Auth::class,    
+        'performance'   => PerformanceMetrics::class,    
         'cors'          => \App\Filters\Cors::class,
+        'auth' 			=> \App\Filters\Auth::class,
     ];
 
     /**
@@ -74,6 +74,7 @@ class Filters extends BaseFilters
      */
     public array $globals = [
         'before' => [
+            'cors',
             'auth' => [ 'except' => [
 				'auth/*', 'lqms/*', 'key/*', 'api/*'
 			]]
diff --git a/app/Filters/Cors.php b/app/Filters/Cors.php
index 36947ac..6ed0c7b 100644
--- a/app/Filters/Cors.php
+++ b/app/Filters/Cors.php
@@ -6,21 +6,46 @@ use CodeIgniter\Filters\FilterInterface;
 
 class Cors implements FilterInterface
 {
+    protected $allowedOrigins = [
+        'http://localhost:5173',
+        'https://clqms01.services-summit.my.id',
+    ];
+
     public function before(RequestInterface $request, $arguments = null)
     {
-        header('Access-Control-Allow-Origin: *');
-        header('Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE');
-        header('Access-Control-Allow-Headers: Content-Type, Authorization, X-Requested-With, X-CSRF-TOKEN');
+        // header('Access-Control-Allow-Origin: *');
+        // header('Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE');
+        // header('Access-Control-Allow-Headers: Content-Type, Authorization, X-Requested-With, X-CSRF-TOKEN');
 
         // Handle preflight requests
         // if ($request->getMethod() === 'options') {
         //     header('HTTP/1.1 200 OK');
         //     exit();
         // }
+
+        // log_message('debug', 'Cors Filter Triggered First');
+        $origin = $_SERVER['HTTP_ORIGIN'] ?? '';
+        $response = service('response');
+
+        if (in_array($origin, $this->allowedOrigins)) {
+            $response->setHeader('Access-Control-Allow-Origin', $origin);
+            $response->setHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, PATCH, DELETE, OPTIONS');
+            $response->setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization, X-Requested-With, Accept, Origin, Cache-Control, Pragma, X-CSRF-TOKEN');
+            // $response->setHeader('Access-Control-Allow-Headers', '*');
+            $response->setHeader('Access-Control-Allow-Credentials', 'true');
+        }
+
+        // Tangani preflight OPTIONS dengan return response
+        if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
+            // log_message('debug', 'Cors Filter Triggered OK');
+            return $response->setStatusCode(200)->setBody('OK');
+        }
+        // log_message('debug', 'Cors Filter Triggered Second');
     }
 
     public function after(RequestInterface $request, ResponseInterface $response, $arguments = null)
     {
         // No actions required after the request
+        return $response;
     }
 }