Merge branch 'fix/frontend-cors'

backend/.env.example

@@ -3,6 +3,7 @@ APP_ENV=local
 APP_KEY=
 APP_DEBUG=true
 APP_URL=http://localhost
+CORS_ALLOWED_ORIGINS=http://localhost:5173,https://rabbigerzi.com,https://www.rabbigerzi.com
 
 APP_LOCALE=en
 APP_FALLBACK_LOCALE=en

backend/config/cors.php

@@ -0,0 +1,23 @@
+<?php
+
+$defaultAllowedOrigins = implode(',', [
+    'http://localhost:5173',
+    'https://rabbigerzi.com',
+    'https://www.rabbigerzi.com',
+]);
+
+$allowedOrigins = array_values(array_filter(array_map(
+    'trim',
+    explode(',', (string) env('CORS_ALLOWED_ORIGINS', $defaultAllowedOrigins))
+)));
+
+return [
+    'paths' => ['login', 'logout', 'me'],
+    'allowed_methods' => ['GET', 'POST', 'OPTIONS'],
+    'allowed_origins' => $allowedOrigins,
+    'allowed_origins_patterns' => [],
+    'allowed_headers' => ['Content-Type', 'X-Requested-With', 'Accept', 'Origin'],
+    'exposed_headers' => [],
+    'max_age' => 0,
+    'supports_credentials' => true,
+];

backend/tests/Feature/CorsTest.php

@@ -0,0 +1,24 @@
+<?php
+
+namespace Tests\Feature;
+
+use Tests\TestCase;
+
+class CorsTest extends TestCase
+{
+    public function testAllowsProductionFrontendPreflight(): void
+    {
+        $response = $this->withHeaders([
+            'Origin' => 'https://rabbigerzi.com',
+            'Access-Control-Request-Method' => 'POST',
+            'Access-Control-Request-Headers' => 'content-type',
+        ])->options('/login');
+
+        $response->assertNoContent();
+        $response->assertHeader(
+            'Access-Control-Allow-Origin',
+            'https://rabbigerzi.com'
+        );
+        $response->assertHeader('Access-Control-Allow-Credentials', 'true');
+    }
+}