package node

import "net/http"

// withCORS wraps any http.Handler so every response carries the CORS
// headers browser-based clients (Electron renderer, web explorer from a
// different origin, mobile webview) need. Also short-circuits OPTIONS
// preflight requests with a 204 — without this, POST /api/tx with a
// JSON body triggers a preflight that the regular handler answers as
// 404/405 and the browser refuses the follow-up.
//
// The allow-list is wide on purpose. The node's security model doesn't
// rely on same-origin — API tokens (DCHAIN_API_TOKEN + DCHAIN_API_PRIVATE)
// and Ed25519 tx signatures are what gate writes. Cross-origin access is
// a first-class feature here, not an attack vector.
func withCORS(next http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		h := w.Header()
		h.Set("Access-Control-Allow-Origin", "*")
		h.Set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS, HEAD, PATCH")
		h.Set("Access-Control-Allow-Headers", "Authorization, Content-Type, X-Requested-With")
		h.Set("Access-Control-Expose-Headers", "Content-Length, Content-Type")
		h.Set("Access-Control-Max-Age", "86400") // cache preflight for a day

		if r.Method == http.MethodOptions {
			// Preflight. Don't hand to the mux — just answer.
			w.WriteHeader(http.StatusNoContent)
			return
		}
		next.ServeHTTP(w, r)
	})
}