fix: cors (#621)

* fix: dont (re)generate client secret with auth type none

* fix(cors): allow Origin from request

* feat: add origin allow list and fix some core issues

* rename migration

* fix UserIDsByDomain

* check origin on userinfo

* update oidc pkg

internal/api/http/header.go

@@ -13,12 +13,15 @@ const (
 	AcceptLanguage  = "accept-language"
 	CacheControl    = "cache-control"
 	ContentType     = "content-type"
+	ContentLength   = "content-length"
 	Expires         = "expires"
 	Location        = "location"
 	Origin          = "origin"
 	Pragma          = "pragma"
 	UserAgentHeader = "user-agent"
 	ForwardedFor    = "x-forwarded-for"
+	XUserAgent      = "x-user-agent"
+	XGrpcWeb        = "x-grpc-web"
 
 	ContentSecurityPolicy   = "content-security-policy"
 	XXSSProtection          = "x-xss-protection"

internal/api/http/middleware/cors_interceptor.go

@@ -18,6 +18,8 @@ var (
 			http_utils.AcceptLanguage,
 			http_utils.Authorization,
 			http_utils.ZitadelOrgID,
+			http_utils.XUserAgent,
+			http_utils.XGrpcWeb,
 		},
 		AllowedMethods: []string{
 			http.MethodOptions,
@@ -30,9 +32,10 @@ var (
 		},
 		ExposedHeaders: []string{
 			http_utils.Location,
+			http_utils.ContentLength,
 		},
-		AllowedOrigins: []string{
-			"http://localhost:*",
+		AllowOriginFunc: func(_ string) bool {
+			return true
 		},
 	}
 )

internal/api/http/origin.go

@@ -0,0 +1,23 @@
+package http
+
+import (
+	"fmt"
+	"net/url"
+)
+
+func GetOriginFromURLString(s string) (string, error) {
+	parsed, err := url.Parse(s)
+	if err != nil {
+		return "", err
+	}
+	return fmt.Sprintf("%s://%s", parsed.Scheme, parsed.Host), nil
+}
+
+func IsOriginAllowed(allowList []string, origin string) bool {
+	for _, allowed := range allowList {
+		if allowed == origin {
+			return true
+		}
+	}
+	return false
+}