"use strict";
var __importDefault = (this && this.__importDefault) || function (mod) {
    return (mod && mod.__esModule) ? mod : { "default": mod };
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.shouldOmitCredentials = exports.check = void 0;
const builtin_header_names_1 = __importDefault(require("./builtin-header-names"));
const lodash_1 = require("lodash");
const url_1 = require("../utils/url");
// NOTE: https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
function check(ctx) {
    const reqOrigin = ctx.dest.reqOrigin;
    // PASSED: Same origin.
    if (ctx.dest.domain === reqOrigin)
        return true;
    const withCredentials = ctx.dest.credentials === url_1.Credentials.include;
    const allowOriginHeader = ctx.destRes.headers[builtin_header_names_1.default.accessControlAllowOrigin];
    const allowCredentialsHeader = ctx.destRes.headers[builtin_header_names_1.default.accessControlAllowCredentials];
    const allowCredentials = String(allowCredentialsHeader).toLowerCase() === 'true';
    const allowedOrigins = (0, lodash_1.castArray)(allowOriginHeader);
    const wildcardAllowed = allowedOrigins.includes('*');
    // FAILED: Destination server doesn't provide the Access-Control-Allow-Origin header.
    // So cross-domain requests are denied
    if (!allowOriginHeader)
        return false;
    // FAILED: Credentialed requests are not allowed or wild carding was used
    // for the allowed origin (credentialed requests should specify the exact domain).
    if (withCredentials && (!allowCredentials || wildcardAllowed))
        return false;
    // FINAL CHECK: The request origin should match one of the allowed origins.
    return wildcardAllowed || allowedOrigins.includes(reqOrigin);
}
exports.check = check;
function shouldOmitCredentials(ctx) {
    switch (ctx.dest.credentials) {
        case url_1.Credentials.omit:
            return true;
        case url_1.Credentials.sameOrigin:
            return ctx.dest.reqOrigin !== ctx.dest.domain;
        case url_1.Credentials.include:
            return false;
        default:
            return false;
    }
}
exports.shouldOmitCredentials = shouldOmitCredentials;