(request: NextRequest)
| 85 | |
| 86 | /** Single source of truth for /api/* CORS — resolved at request time, not baked at build. */ |
| 87 | export function resolveApiCorsPolicy(request: NextRequest): CorsPolicy { |
| 88 | const { pathname } = request.nextUrl |
| 89 | for (const rule of CORS_RULES) { |
| 90 | if (rule.match(pathname)) return rule.policy(request) |
| 91 | } |
| 92 | return { |
| 93 | origin: getEnv('NEXT_PUBLIC_APP_URL') || 'http://localhost:3001', |
| 94 | credentials: true, |
| 95 | methods: 'GET,POST,OPTIONS,PUT,DELETE', |
| 96 | headers: DEFAULT_API_ALLOWED_HEADERS, |
| 97 | } |
| 98 | } |
| 99 | |
| 100 | const CORS_PREFLIGHT_MAX_AGE = '86400' |
| 101 |
no test coverage detected