<?php

return [
    // Apply CORS to API routes and Sanctum's CSRF cookie endpoint (if used)
    'paths' => ['api/*', 'sanctum/csrf-cookie'],

    // Allow all HTTP methods for simplicity in dev
    'allowed_methods' => ['*'],

    // IMPORTANT: Do NOT use '*' when sending credentials. List explicit origins.
    // Set FRONTEND_URL in .env to override the default if needed.
    'allowed_origins' => [env('FRONTEND_URL', 'http://localhost:8080')],

    // Alternatively, use patterns (kept empty for clarity)
    'allowed_origins_patterns' => [],

    // Headers the client may send
    'allowed_headers' => ['*'],

    // Headers exposed to the browser
    'exposed_headers' => [],

    // Preflight cache duration (in seconds)
    'max_age' => 0,

    // Must be true if the browser sends cookies or Authorization with withCredentials
    'supports_credentials' => true,
];