fix: cors (#621)

* fix: dont (re)generate client secret with auth type none

* fix(cors): allow Origin from request

* feat: add origin allow list and fix some core issues

* rename migration

* fix UserIDsByDomain

* check origin on userinfo

* update oidc pkg

internal/api/http/header.go

@@ -13,12 +13,15 @@ const (
 	AcceptLanguage  = "accept-language"
 	CacheControl    = "cache-control"
 	ContentType     = "content-type"
+	ContentLength   = "content-length"
 	Expires         = "expires"
 	Location        = "location"
 	Origin          = "origin"
 	Pragma          = "pragma"
 	UserAgentHeader = "user-agent"
 	ForwardedFor    = "x-forwarded-for"
+	XUserAgent      = "x-user-agent"
+	XGrpcWeb        = "x-grpc-web"
 
 	ContentSecurityPolicy   = "content-security-policy"
 	XXSSProtection          = "x-xss-protection"