const DEFAULT_ORIGINS = [
  "http://localhost:3000",
  "http://localhost:3001",
  "http://10.8.0.2:3000",
];

function allowedOrigins(): string[] {
  const env = process.env.ALLOWED_ORIGINS;
  if (!env) return DEFAULT_ORIGINS;
  return env
    .split(",")
    .map((s) => s.trim())
    .filter(Boolean);
}

export function checkOrigin(request: Request): Response | null {
  const allowed = allowedOrigins();
  const origin = request.headers.get("origin");
  if (origin) {
    return allowed.includes(origin)
      ? null
      : Response.json({ error: "Forbidden" }, { status: 403 });
  }
  const referer = request.headers.get("referer");
  if (referer) {
    try {
      const url = new URL(referer);
      const base = `${url.protocol}//${url.host}`;
      return allowed.includes(base)
        ? null
        : Response.json({ error: "Forbidden" }, { status: 403 });
    } catch {
      return Response.json({ error: "Forbidden" }, { status: 403 });
    }
  }
  return Response.json({ error: "Forbidden" }, { status: 403 });
}