import { NextRequest, NextResponse } from 'next/server'
const ALLOWED_ORIGINS = [
'https://refinebacklog.com',
'https://www.refinebacklog.com',
]
// Allow localhost in development
if (process.env.NODE_ENV === 'development') {
ALLOWED_ORIGINS.push('http://localhost:3000', 'http://localhost:3001')
}
export function middleware(request: NextRequest) {
// Only apply CORS to API routes
if (!request.nextUrl.pathname.startsWith('/api/')) {
return NextResponse.next()
}
const origin = request.headers.get('origin')
// Handle preflight OPTIONS requests
if (request.method === 'OPTIONS') {
const response = new NextResponse(null, { status: 204 })
if (origin && ALLOWED_ORIGINS.includes(origin)) {
response.headers.set('Access-Control-Allow-Origin', origin)
response.headers.set('Access-Control-Allow-Methods', 'GET, POST, OPTIONS')
response.headers.set('Access-Control-Allow-Headers', 'Content-Type, x-license-key')
response.headers.set('Access-Control-Max-Age', '86400')
}
return response
}
// For actual requests, set CORS headers
const response = NextResponse.next()
if (origin && ALLOWED_ORIGINS.includes(origin)) {
response.headers.set('Access-Control-Allow-Origin', origin)
response.headers.set('Access-Control-Allow-Methods', 'GET, POST, OPTIONS')
response.headers.set('Access-Control-Allow-Headers', 'Content-Type, x-license-key')
}
return response
}
export const config = {
matcher: '/api/:path*',
}
