fix: cors (#621)

* fix: dont (re)generate client secret with auth type none

* fix(cors): allow Origin from request

* feat: add origin allow list and fix some core issues

* rename migration

* fix UserIDsByDomain

* check origin on userinfo

* update oidc pkg

internal/api/grpc/header.go

@@ -4,6 +4,7 @@ import (
 	"context"
 
 	"github.com/grpc-ecosystem/go-grpc-middleware/util/metautils"
+	"github.com/grpc-ecosystem/grpc-gateway/runtime"
 
 	"github.com/caos/zitadel/internal/api/http"
 )
@@ -12,6 +13,10 @@ func GetHeader(ctx context.Context, headername string) string {
 	return metautils.ExtractIncoming(ctx).Get(headername)
 }
 
+func GetGatewayHeader(ctx context.Context, headername string) string {
+	return GetHeader(ctx, runtime.MetadataPrefix+headername)
+}
+
 func GetAuthorizationHeader(ctx context.Context) string {
 	return GetHeader(ctx, http.Authorization)
 }

internal/api/grpc/server/gateway.go

@@ -131,7 +131,7 @@ func addInterceptors(handler http.Handler, g Gateway) http.Handler {
 	if interceptor, ok := g.(grpcGatewayCustomInterceptor); ok {
 		handler = interceptor.GatewayHTTPInterceptor(handler)
 	}
-	return http_mw.CORSInterceptorOpts(http_mw.DefaultCORSOptions, handler)
+	return http_mw.CORSInterceptor(handler)
 }
 
 func gatewayPort(port string) string {

internal/api/grpc/server/middleware/auth_interceptor_test.go

@@ -27,8 +27,8 @@ func (v *verifierMock) VerifyAccessToken(ctx context.Context, token, clientID st
 func (v *verifierMock) ResolveGrants(ctx context.Context) (*authz.Grant, error) {
 	return nil, nil
 }
-func (v *verifierMock) ProjectIDByClientID(ctx context.Context, clientID string) (string, error) {
-	return "", nil
+func (v *verifierMock) ProjectIDAndOriginsByClientID(ctx context.Context, clientID string) (string, []string, error) {
+	return "", nil, nil
 }
 func (v *verifierMock) ExistsOrg(ctx context.Context, orgID string) error {
 	return nil