Jobhero_back/app/Http/Middleware/Cors.php

<?php
namespace App\Http\Middleware;
use Closure;
class Cors
{
    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @return mixed
     */
    public function handle($request, Closure $next)
    {
        $allowedOrigins = [
            'http://localhost',
            'https://localhost',
            'ionic://localhost',
            'https://jobhero.consultoria-as.com',
            'https://jobhero-api.consultoria-as.com',
            'capacitor://localhost',
            'http://localhost:4200'
        ];

        $origin = $request->server('HTTP_ORIGIN');

        // Allow requests from mobile apps (no origin or capacitor/ionic)
        if (empty($origin) || in_array($origin, $allowedOrigins)) {
            $response = $next($request);
            $allowOrigin = empty($origin) ? '*' : $origin;
            return $response
                ->header('Access-Control-Allow-Origin', $allowOrigin)
                ->header('Access-Control-Allow-Methods', 'GET, POST, PUT, PATCH, DELETE, OPTIONS')
                ->header('Access-Control-Allow-Headers', 'Content-Type, Authorization, X-Requested-With, X-XSRF-TOKEN, ngrok-skip-browser-warning');
        }

        return $next($request);
    }
}