done. going to bed now.

src/Http/Middleware/CorsMiddleware.php

@@ -0,0 +1,72 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Siteworxpro\App\Http\Middleware;
+
+use Nyholm\Psr7\Response;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Psr\Http\Server\MiddlewareInterface;
+use Psr\Http\Server\RequestHandlerInterface;
+use Siteworxpro\App\Facades\Config;
+
+/**
+ * Class CorsMiddleware
+ *
+ * Middleware to handle CORS (Cross-Origin Resource Sharing) requests.
+ * It checks the origin of the request and sets appropriate CORS headers
+ * in the response.
+ */
+class CorsMiddleware implements MiddlewareInterface
+{
+    /**
+     * Process the incoming request and add CORS headers to the response.
+     *
+     * @param ServerRequestInterface $request The incoming request.
+     * @param RequestHandlerInterface $handler The request handler.
+     * @return ResponseInterface The response with CORS headers.
+     */
+    public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
+    {
+        $origin = $request->getHeaderLine('Origin');
+        $allowedOrigins = array_map(
+            'trim',
+            explode(
+                ',',
+                Config::get('cors.allowed_origins')
+            )
+        );
+
+        $allowOrigin = in_array($origin, $allowedOrigins, true)
+            ? $origin
+            : null;
+
+        if ($request->getMethod() === 'OPTIONS') {
+            $response = new Response(204);
+        } else {
+            $response = $handler->handle($request);
+        }
+
+        if ($allowOrigin === null) {
+            return $response; // Do not add CORS headers if origin is not allowed.
+        }
+
+        $response = $response
+            ->withHeader('Access-Control-Allow-Origin', $allowOrigin)
+            ->withHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, PATCH, DELETE, OPTIONS')
+            ->withHeader(
+                'Access-Control-Allow-Headers',
+                $request->getHeaderLine('Access-Control-Request-Headers')
+                    ?: 'Content-Type, Authorization'
+            );
+
+        if (Config::get('cors.allow_credentials') === true) {
+            $response = $response->withHeader('Access-Control-Allow-Credentials', 'true');
+        }
+
+        $maxAge = Config::get('cors.max_age') ?: '86400'; // Use correct configuration key.
+
+        return $response->withHeader('Access-Control-Max-Age', $maxAge);
+    }
+}