# MailMax livechat API access + CORS
# This folder is intentionally public because the desktop/web app calls
# /api/livechat/livechat.php directly from the app origin during support chat.

Options -Indexes
DirectoryIndex livechat.php

<IfModule mod_authz_core.c>
    Require all granted
</IfModule>
<IfModule !mod_authz_core.c>
    Order allow,deny
    Allow from all
</IfModule>

<IfModule mod_headers.c>
    # Remove any duplicate CORS headers produced by PHP/hosting layers, then
    # add CORS headers at Apache level so preflight, 403, 404, and 500 responses
    # still include Access-Control-Allow-Origin.
    Header onsuccess unset Access-Control-Allow-Origin
    Header always unset Access-Control-Allow-Origin
    Header always set Access-Control-Allow-Origin "*"

    Header onsuccess unset Access-Control-Allow-Methods
    Header always unset Access-Control-Allow-Methods
    Header always set Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"

    Header onsuccess unset Access-Control-Allow-Headers
    Header always unset Access-Control-Allow-Headers
    Header always set Access-Control-Allow-Headers "Content-Type, Authorization, X-Requested-With, X-App-Api-Base, X-App-Tracking-Base"

    Header onsuccess unset Access-Control-Max-Age
    Header always unset Access-Control-Max-Age
    Header always set Access-Control-Max-Age "86400"
</IfModule>

<IfModule mod_rewrite.c>
    RewriteEngine On

    # Let browsers complete CORS preflight requests against the livechat API.
    RewriteCond %{REQUEST_METHOD} OPTIONS
    RewriteRule ^livechat\.php$ livechat.php [L]
</IfModule>

<FilesMatch "^(config\.json|.*\.log|.*\.sqlite|.*\.db|.*\.lock|.*\.txt)$">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order allow,deny
        Deny from all
    </IfModule>
</FilesMatch>
