Websites/Profice WebSite/scripts/add/flowise-proxy.php

<?php
/**
 * Flowise Chat Proxy — credentials hidden server-side
 * Called via .htaccess rewrite: /api/v1/prediction/* → this file
 */

// SENSITIVE — never expose these in client-side JS
$FLOWISE_HOST     = 'https://flowise.profice.de';
$FLOWISE_CHATFLOW = 'd63d3d02-b5fa-482c-9161-c21c615fb625';

// CORS — restrict to your domain in production
$allowedOrigins = [
    'https://profice.de',
    'https://www.profice.de',
    'http://localhost',
    'http://127.0.0.1',
    'https://staging.profice.de'
];

$origin = $_SERVER['HTTP_ORIGIN'] ?? '';
header('Content-Type: application/json');
if (in_array($origin, $allowedOrigins)) {
    header("Access-Control-Allow-Origin: $origin");
} else {
    header('Access-Control-Allow-Origin: https://profice.de');
}
header('Access-Control-Allow-Methods: POST, OPTIONS');
header('Access-Control-Allow-Headers: Content-Type, Authorization');

if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
    http_response_code(200);
    exit();
}

if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
    http_response_code(405);
    echo json_encode(['error' => 'Method not allowed']);
    exit();
}

$input = file_get_contents('php://input');
$target = "$FLOWISE_HOST/api/v1/prediction/$FLOWISE_CHATFLOW";

$ch = curl_init($target);
curl_setopt_array($ch, [
    CURLOPT_POST           => true,
    CURLOPT_POSTFIELDS     => $input,
    CURLOPT_HTTPHEADER     => ['Content-Type: application/json', 'Accept: application/json'],
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_TIMEOUT        => 60,
    CURLOPT_CONNECTTIMEOUT => 10,
    CURLOPT_SSL_VERIFYPEER => true,
]);

$response = curl_exec($ch);
$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
$error    = curl_error($ch);
curl_close($ch);

if ($error) {
    http_response_code(502);
    echo json_encode(['error' => 'Proxy error', 'detail' => $error]);
    exit();
}

http_response_code($httpCode);
echo $response;
?>