bartender/middlewares/CorsControl.php

<?php

namespace Middlewares;

use Psr\Http\Message\ServerRequestInterface;
use React\Http\Message\Response;

class CorsControl
{
    public function __invoke(ServerRequestInterface $request, callable $next)
    {
        // Cabeçalhos CORS liberais para todas as origens
        $corsHeaders = [
            'Access-Control-Allow-Origin'      => '*',
            'Access-Control-Allow-Methods'     => 'GET, POST',
            'Access-Control-Allow-Headers'     => 'Content-Type, Authorization, X-Requested-With, Accept, Origin',
            'Access-Control-Allow-Credentials' => 'true',
            'Access-Control-Max-Age'           => '86400', // 24 horas em segundos
        ];

        // Responde imediatamente a preflight OPTIONS
        if ($request->getMethod() === 'OPTIONS') {
            return new Response(204, $corsHeaders);
        }

        // Executa o próximo middleware / controlador
        $response = $next($request);

        // Injeta os headers CORS na resposta
        foreach ($corsHeaders as $header => $value) {
            $response = $response->withHeader($header, $value);
        }

        return $response;
    }
}