# MyKollectOr API — .htaccess

# Forcer HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# ── FIX CRITIQUE OVH : passer le header Authorization a PHP ──────
RewriteCond %{HTTP:Authorization} .
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

# ── CORS Apache niveau — couvre TOUTES les reponses y compris 500 ──
<IfModule mod_headers.c>
    SetEnvIf Origin "^https://(fab|pwa|chrono|workflow)\.mykollector\.com$" CORS_ORIGIN=$0
    Header always set Access-Control-Allow-Origin "%{CORS_ORIGIN}e" env=CORS_ORIGIN
    Header always set Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS" env=CORS_ORIGIN
    Header always set Access-Control-Allow-Headers "Content-Type, Authorization, X-Agent-Key" env=CORS_ORIGIN
    Header always set Access-Control-Allow-Credentials "true" env=CORS_ORIGIN
    Header always set Access-Control-Max-Age "86400" env=CORS_ORIGIN
</IfModule>

# ── Preflight OPTIONS : repondre 200 sans passer par PHP ─────────
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L]

# Router vers Slim 4
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^ public/index.php [QSA,L]

# Bloquer acces direct .env
<FilesMatch "^\.env">
    Order allow,deny
    Deny from all
</FilesMatch>

# Bloquer acces storage/ src/ logs/
<IfModule mod_rewrite.c>
    RewriteRule ^storage/ - [F,L]
    RewriteRule ^src/ - [F,L]
    RewriteRule ^logs/ - [F,L]
</IfModule>

# Headers securite
<IfModule mod_headers.c>
    Header always set X-Content-Type-Options nosniff
    Header always set X-Frame-Options DENY
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

Options -Indexes

<IfModule mod_php8.c>
    php_value upload_max_filesize 10M
    php_value post_max_size 10M
    php_value max_execution_time 60
    php_value memory_limit 256M
</IfModule>
