<?php
namespace MasterFFL\Checkout\Subscriber;
use Symfony\Component\EventDispatcher\EventSubscriberInterface;
use Symfony\Component\HttpKernel\Event\ResponseEvent;
use Symfony\Component\HttpKernel\KernelEvents;
class CorsResponseSubscriber implements EventSubscriberInterface
{
public static function getSubscribedEvents(): array
{
return [
KernelEvents::RESPONSE => 'onKernelResponse',
];
}
public function onKernelResponse(ResponseEvent $event): void
{
$response = $event->getResponse();
$request = $event->getRequest();
// Only allow on /api/* (Admin API)
if (strpos($request->getPathInfo(), '/api/') !== 0) {
return;
}
// Replace this with your frontend domain
$allowedOrigin = 'https://ffl360-qa.masterffl.com';
$origin = $request->headers->get('Origin');
if ($origin === $allowedOrigin) {
$response->headers->set('Access-Control-Allow-Origin', $origin);
$response->headers->set('Access-Control-Allow-Headers', 'Content-Type, Authorization');
$response->headers->set('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
$response->headers->set('Access-Control-Allow-Credentials', 'true');
}
// Optional: handle preflight
if ($request->getMethod() === 'OPTIONS') {
$response->setStatusCode(200);
}
}
}