fix: cors (#621)

* fix: dont (re)generate client secret with auth type none

* fix(cors): allow Origin from request

* feat: add origin allow list and fix some core issues

* rename migration

* fix UserIDsByDomain

* check origin on userinfo

* update oidc pkg

internal/api/http/middleware/cors_interceptor.go

@@ -18,6 +18,8 @@ var (
 			http_utils.AcceptLanguage,
 			http_utils.Authorization,
 			http_utils.ZitadelOrgID,
+			http_utils.XUserAgent,
+			http_utils.XGrpcWeb,
 		},
 		AllowedMethods: []string{
 			http.MethodOptions,
@@ -30,9 +32,10 @@ var (
 		},
 		ExposedHeaders: []string{
 			http_utils.Location,
+			http_utils.ContentLength,
 		},
-		AllowedOrigins: []string{
-			"http://localhost:*",
+		AllowOriginFunc: func(_ string) bool {
+			return true
 		},
 	}
 )