fix: improve interceptor handling (#3578)

* fix: improve interceptor handling

* fix: improve interceptor handling

Co-authored-by: Florian Forster <florian@caos.ch>

internal/api/http/middleware/instance_interceptor.go

@@ -4,25 +4,34 @@ import (
 	"context"
 	"fmt"
 	"net/http"
+	"strings"
 
 	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/telemetry/tracing"
 )
 
 type instanceInterceptor struct {
-	verifier   authz.InstanceVerifier
-	headerName string
+	verifier        authz.InstanceVerifier
+	headerName      string
+	ignoredPrefixes []string
 }
 
-func InstanceInterceptor(verifier authz.InstanceVerifier, headerName string) *instanceInterceptor {
+func InstanceInterceptor(verifier authz.InstanceVerifier, headerName string, ignoredPrefixes ...string) *instanceInterceptor {
 	return &instanceInterceptor{
-		verifier:   verifier,
-		headerName: headerName,
+		verifier:        verifier,
+		headerName:      headerName,
+		ignoredPrefixes: ignoredPrefixes,
 	}
 }
 
 func (a *instanceInterceptor) Handler(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		for _, prefix := range a.ignoredPrefixes {
+			if strings.HasPrefix(r.URL.Path, prefix) {
+				next.ServeHTTP(w, r)
+				return
+			}
+		}
 		ctx, err := setInstance(r, a.verifier, a.headerName)
 		if err != nil {
 			http.Error(w, err.Error(), http.StatusUnauthorized)
@@ -35,6 +44,12 @@ func (a *instanceInterceptor) Handler(next http.Handler) http.Handler {
 
 func (a *instanceInterceptor) HandlerFunc(next http.HandlerFunc) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
+		for _, prefix := range a.ignoredPrefixes {
+			if strings.HasPrefix(r.URL.Path, prefix) {
+				next.ServeHTTP(w, r)
+				return
+			}
+		}
 		ctx, err := setInstance(r, a.verifier, a.headerName)
 		if err != nil {
 			http.Error(w, err.Error(), http.StatusForbidden)