'use strict';

module.exports = function cors () {
    return function corsMiddleware (req, res, next) {
        const headers = [
            'X-Requested-With',
            'X-Prototype-Version',
            'X-CSRF-Token',
            'Authorization',
            'Carto-Event',
            'Carto-Event-Source',
            'Carto-Event-Group-Id'
        ];

        if (req.method === 'OPTIONS') {
            headers.push('Content-Type');
        }

        res.set('Access-Control-Allow-Origin', '*');
        res.set('Access-Control-Allow-Headers', headers.join(', '));

        next();
    };
};