<?php

class handleCors
{
  public function __construct()
  {
    //check settings to see if external api access is allowed
    $config = new Settings();
    $settings = $config->getSettings();
    if ($settings["global"]["externalAPI"]) {
      //echo "API STATUS: " . $settings["global"]["externalAPI"];
      if ($settings["global"]["externalAPI"] == "true") {
        //echo "API ACCESS ACTIVE";
        // checks to see if origin is set
        if (isset($_SERVER["HTTP_ORIGIN"])) {
          // You can decide if the origin in $_SERVER['HTTP_ORIGIN'] is something you want to allow, or as we do here, just allow all
          header("Access-Control-Allow-Origin: {$_SERVER["HTTP_ORIGIN"]}");
        } else {
          //No HTTP_ORIGIN set, so we allow any. You can disallow if needed here
          //never allow just any domain, so turn CORS off if no No HTTP_ORIGIN is set
          //header("Access-Control-Allow-Origin: *");
        }

        header("Access-Control-Allow-Credentials: true");
        header("Access-Control-Max-Age: 600"); // cache for 10 minutes

        if ($_SERVER["REQUEST_METHOD"] == "OPTIONS") {
          if (isset($_SERVER["HTTP_ACCESS_CONTROL_REQUEST_METHOD"])) {
            header(
              "Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PUT"
            );
          } //Make sure you remove those you do not want to support

          if (isset($_SERVER["HTTP_ACCESS_CONTROL_REQUEST_HEADERS"])) {
            header(
              "Access-Control-Allow-Headers: {$_SERVER["HTTP_ACCESS_CONTROL_REQUEST_HEADERS"]}"
            );
          }

          //Just exit with 200 OK with the above headers for OPTIONS method
          exit(0);
        }
      } else {
        //echo "API ACCESS ACTIVE";
      }
    } else {
      //value doesn't exist, so whatevs
      //echo "API ACCESS VALUE NOT PRESENT";
    }
  }
}