# ============================================================================
# LUPMIS2 PWA — Apache config
# ============================================================================

# Apache's default DirectoryIndex order serves index.html before index.php.
# We need the opposite so the SSO-aware index.php gets a chance to run first,
# inject session data into the page, and then return the index.html content.
DirectoryIndex index.php index.html

# Make sure .php files are executed (defensive — usually enabled site-wide,
# but explicit here in case the deployment dropped this association).
<FilesMatch "\.php$">
    SetHandler application/x-httpd-php
</FilesMatch>

<IfModule mod_rewrite.c>
    RewriteEngine On

    # Clean URL for the iframe embed endpoint:  /embed  →  embed.php
    # Must come BEFORE the SPA fallback so /embed doesn't get routed to
    # index.php. Query strings (?mode=permit&...) pass through automatically.
    RewriteRule ^embed/?$ embed.php [L]

    # Common single-page-app behaviour: if a route doesn't map to a real file
    # or directory, send the request to index.php so the PWA can handle it
    # client-side. Comment out this block if hash-based routing is preferred.
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^ index.php [L]
</IfModule>

# Iframe-policy override for the embed endpoint. Some Apache deployments set
# `X-Frame-Options: SAMEORIGIN` as a default security header for every
# response — that prevents `permits.lupmis4luspa.org` from framing
# `pwa.lupmis4luspa.org/embed`, even though our Content-Security-Policy
# `frame-ancestors` directive explicitly allows it. Safari prefers
# `X-Frame-Options` when both are present, so we have to remove it.
#
# We unset it ONLY for embed.php (so index.php still inherits the
# site-wide SAMEORIGIN protection against clickjacking). embed.php's own
# `Content-Security-Policy: frame-ancestors` header (set in PHP) is then
# the sole iframe-policy header and permits the configured embedder.
<IfModule mod_headers.c>
    <Files "embed.php">
        Header always unset X-Frame-Options
    </Files>
</IfModule>
