fal-js/apps/demo-nextjs-app-router/middleware.ts

import { NextResponse } from "next/server";

const allowedOrigins = [
  "https://05985828-1e5d-490f-9c5e-d906081efb32.lovableproject.com",
  "https://animator.gg",
  ,
  "https://www.animator.gg",
];

export function middleware(request: Request) {
  const origin = request.headers.get("origin");

  if (origin && allowedOrigins.includes(origin)) {
    const response = NextResponse.next();
    response.headers.set("Access-Control-Allow-Origin", origin);
    response.headers.set(
      "Access-Control-Allow-Methods",
      "GET, POST, PUT, DELETE, OPTIONS",
    );
    response.headers.set(
      "Access-Control-Allow-Headers",
      "Content-Type, Authorization",
    );
    return response;
  }

  // If the origin is not allowed, block the request
  if (origin) {
    return new NextResponse("Forbidden", { status: 403 });
  }

  // Allow requests without an origin (e.g., server-to-server requests)
  return NextResponse.next();
}

export const config = {
  matcher: "/api/:path*", // Apply middleware to all API routes
};