// CORS for /api/**. Restricts to the configured web client origin and answers preflight.
// Runs before 1.auth.ts (alphabetical order) so OPTIONS is handled without a token.
export default defineEventHandler((event) => {
  if (!getRequestURL(event).pathname.startsWith("/api/")) return;

  const origin = useRuntimeConfig().webOrigin;
  if (origin) {
    setResponseHeader(event, "Access-Control-Allow-Origin", origin);
    setResponseHeader(event, "Vary", "Origin");
    setResponseHeader(event, "Access-Control-Allow-Headers", "authorization, content-type");
    setResponseHeader(event, "Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
    setResponseHeader(event, "Access-Control-Max-Age", "600");
  }

  if (event.method === "OPTIONS") {
    setResponseStatus(event, 204);
    return "";
  }
});