# .htaccess for MzalendoPay Proxy Protection
# Updated to allow all addon domains

# Deny access to sensitive files
<FilesMatch "^\.(env|log|sql|json)$">
    Order Allow,Deny
    Deny from all
</FilesMatch>

# Protect config files
<Files "config.php">
    Order Allow,Deny
    Deny from all
</Files>

# ============================================
# CORS HEADERS - Allow all your addon domains
# ============================================
<IfModule mod_headers.c>
    # Allow multiple origins (you can't set multiple, so we use a dynamic check)
    SetEnvIf Origin "https://(kupursa\.store|utamupoint\.site|mizagamuano\.store|bongoutamu\.space|connectbongo\.site|www\.kupursa\.store|www\.utamupoint\.site|www\.mizagamuano\.store|www\.bongoutamu\.space|www\.connectbongo\.site|localhost)" AccessControlAllowOrigin=$0
    
    Header set Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
    Header set Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
    Header set Access-Control-Allow-Headers "Content-Type, X-API-KEY, X-PUBLIC-KEY, X-SECRET-KEY, Authorization"
    Header set Access-Control-Allow-Credentials "true"
    Header set Access-Control-Expose-Headers "X-API-KEY"
    Header set Access-Control-Max-Age "86400"
</IfModule>

# Alternative: Allow ALL origins (for testing - use with caution)
# <IfModule mod_headers.c>
#     Header set Access-Control-Allow-Origin "*"
#     Header set Access-Control-Allow-Methods "GET, POST, OPTIONS"
#     Header set Access-Control-Allow-Headers "Content-Type, X-API-KEY, X-PUBLIC-KEY, X-SECRET-KEY"
#     Header set Access-Control-Allow-Credentials "true"
# </IfModule>

# Prevent directory listing
Options -Indexes

# Disable PHP execution in logs directory
<Directory "logs">
    <FilesMatch "\.(php|phtml|php3|php4|php5)$">
        Deny from all
    </FilesMatch>
</Directory>

# Rate limiting (if mod_ratelimit is enabled)
<IfModule mod_ratelimit.c>
    SetEnv rate-limit 100
</IfModule>

# Rewrite rules for clean URLs
<IfModule mod_rewrite.c>
    RewriteEngine On
    
    # Handle OPTIONS method for CORS preflight
    RewriteCond %{REQUEST_METHOD} OPTIONS
    RewriteRule ^(.*)$ $1 [R=200,L]
    
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^(.*)$ mzalendo_proxy.php?action=$1 [QSA,L]
</IfModule>