// Copyright 2015 Google Inc. All rights reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

// Package cors provides CORS support for http.Handlers.
package cors

import (
	"net/http"
)

// Handler is an http.Handler that wraps other http.Handlers and provides CORS
// support.
type Handler struct {
	handler          http.Handler
	origin           string
	allowCredentials bool
}

// NewHandler wraps an existing http.Handler allowing it to be requested via CORS.
func NewHandler(h http.Handler) *Handler {
	return &Handler{
		handler: h,
		origin:  "*",
	}
}

// SetOrigin sets the origin(s) to allow when requested with CORS.
func (h *Handler) SetOrigin(origin string) {
	h.origin = origin
}

// AllowCredentials allows cookies to be read by the CORS request.
func (h *Handler) AllowCredentials(allow bool) {
	h.allowCredentials = allow
}

// ServeHTTP determines if a request is a CORS request (normal or preflight)
// and sets the appropriate Access-Control-Allow-* headers. It will send the
// request to the underlying handler in all cases, except for a preflight
// (OPTIONS) request.
func (h *Handler) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
	// Definitely not a CORS request, send it directly to handler.
	if req.Header.Get("Origin") == "" {
		h.handler.ServeHTTP(rw, req)
		return
	}

	rw.Header().Set("Access-Control-Allow-Origin", h.origin)

	if h.allowCredentials {
		rw.Header().Set("Access-Control-Allow-Credentials", "true")
	}

	acrm := req.Header.Get("Access-Control-Request-Method")
	rw.Header().Set("Access-Control-Allow-Methods", acrm)

	if acrh := req.Header.Get("Access-Control-Request-Headers"); acrh != "" {
		rw.Header().Set("Access-Control-Allow-Headers", acrh)
	}

	// Preflight request, don't bother sending it to the handler.
	if req.Method == "OPTIONS" {
		return
	}

	h.handler.ServeHTTP(rw, req)
}