From bae1da324bb682a9929b6df41eb99493f816b64e Mon Sep 17 00:00:00 2001
From: mwpn <mwpn@example.com>
Date: Wed, 17 Dec 2025 14:02:49 +0700
Subject: [PATCH] fix: Perbaiki CORS middleware agar selalu add headers jika
 wildcard diizinkan, tambah script check_cors.php

---
 bin/check_cors.php                | 78 +++++++++++++++++++++++++++++++
 src/Middleware/CorsMiddleware.php |  6 +++
 2 files changed, 84 insertions(+)
 create mode 100644 bin/check_cors.php

diff --git a/bin/check_cors.php b/bin/check_cors.php
new file mode 100644
index 0000000..42ceba7
--- /dev/null
+++ b/bin/check_cors.php
@@ -0,0 +1,78 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * Script untuk verifikasi CORS configuration
+ * Usage: php bin/check_cors.php
+ */
+
+require __DIR__ . '/../vendor/autoload.php';
+
+use App\Config\AppConfig;
+
+// Load environment
+AppConfig::loadEnv(__DIR__ . '/..');
+
+echo "=== CORS Configuration Check ===\n\n";
+
+// Check CORS configuration
+$allowedOrigins = AppConfig::get('CORS_ALLOWED_ORIGINS', '*');
+$allowedMethods = AppConfig::get('CORS_ALLOWED_METHODS', 'GET,POST,PUT,DELETE,OPTIONS');
+$allowedHeaders = AppConfig::get('CORS_ALLOWED_HEADERS', 'Content-Type,Authorization,X-API-KEY,Accept,Origin');
+$allowCredentials = AppConfig::get('CORS_ALLOW_CREDENTIALS', 'true');
+
+echo "1. CORS Configuration:\n";
+echo "   CORS_ALLOWED_ORIGINS: " . ($allowedOrigins ?: '(not set, using default: *)') . "\n";
+echo "   CORS_ALLOWED_METHODS: " . ($allowedMethods ?: '(not set, using default)') . "\n";
+echo "   CORS_ALLOWED_HEADERS: " . ($allowedHeaders ?: '(not set, using default)') . "\n";
+echo "   CORS_ALLOW_CREDENTIALS: " . ($allowCredentials ?: '(not set, using default: true)') . "\n\n";
+
+// Check if CorsMiddleware exists
+echo "2. Checking CorsMiddleware class:\n";
+if (class_exists('App\Middleware\CorsMiddleware')) {
+    echo "   ✅ CorsMiddleware class found\n";
+} else {
+    echo "   ❌ CorsMiddleware class NOT found\n";
+    echo "   Solution: Run 'composer dump-autoload --optimize'\n";
+}
+
+// Check if CorsMiddleware is registered in Bootstrap
+echo "\n3. Checking Bootstrap configuration:\n";
+$bootstrapFile = __DIR__ . '/../src/Bootstrap/app.php';
+if (file_exists($bootstrapFile)) {
+    $bootstrapContent = file_get_contents($bootstrapFile);
+    if (strpos($bootstrapContent, 'CorsMiddleware') !== false) {
+        echo "   ✅ CorsMiddleware found in Bootstrap\n";
+    } else {
+        echo "   ❌ CorsMiddleware NOT found in Bootstrap\n";
+        echo "   Solution: Update src/Bootstrap/app.php\n";
+    }
+} else {
+    echo "   ❌ Bootstrap file not found\n";
+}
+
+// Check .env file
+echo "\n4. Checking .env file:\n";
+$envFile = __DIR__ . '/../.env';
+if (file_exists($envFile)) {
+    echo "   ✅ .env file exists\n";
+    $envContent = file_get_contents($envFile);
+    if (strpos($envContent, 'CORS_ALLOWED_ORIGINS') !== false) {
+        echo "   ✅ CORS_ALLOWED_ORIGINS found in .env\n";
+    } else {
+        echo "   ⚠️  CORS_ALLOWED_ORIGINS not found in .env (will use default: *)\n";
+        echo "   Recommendation: Add CORS configuration to .env\n";
+    }
+} else {
+    echo "   ⚠️  .env file not found\n";
+    echo "   Recommendation: Copy .env.example to .env and configure\n";
+}
+
+echo "\n=== Check Complete ===\n";
+echo "\nNext steps:\n";
+echo "1. If CorsMiddleware not found: composer dump-autoload --optimize\n";
+echo "2. If .env not configured: Add CORS settings to .env\n";
+echo "3. Restart PHP-FPM: systemctl reload php-fpm-83\n";
+echo "4. Test: curl -I -H \"Origin: http://localhost\" https://api.btekno.cloud/health\n";
+
diff --git a/src/Middleware/CorsMiddleware.php b/src/Middleware/CorsMiddleware.php
index 7b00e5b..2cdf7dc 100644
--- a/src/Middleware/CorsMiddleware.php
+++ b/src/Middleware/CorsMiddleware.php
@@ -68,6 +68,12 @@ class CorsMiddleware implements MiddlewareInterface
         // Determine allowed origin
         $allowedOrigin = $this->getAllowedOrigin($origin);
 
+        // Always add CORS headers if wildcard is allowed (even if origin is empty)
+        // This ensures CORS works for all requests
+        if ($allowedOrigin === null && in_array('*', $this->allowedOrigins, true)) {
+            $allowedOrigin = '*';
+        }
+
         if ($allowedOrigin) {
             $response = $response->withHeader('Access-Control-Allow-Origin', $allowedOrigin);
         }