escape proxy for multitenant scenario, rename fcn

2025-12-12 19:42:37 +00:00 · 2025-01-29 10:44:26 +01:00
parent 04f9b47960
commit 68515bda7e
38 changed files with 101 additions and 99 deletions
--- a/apps/login/src/app/(login)/accounts/page.tsx
+++ b/apps/login/src/app/(login)/accounts/page.tsx
@@ -1,7 +1,7 @@
 import { DynamicTheme } from "@/components/dynamic-theme";
 import { SessionsList } from "@/components/sessions-list";
 import { getAllSessionCookieIds } from "@/lib/cookies";
-import { getApiUrlOfHeaders } from "@/lib/service";
+import { getServiceUrlFromHeaders } from "@/lib/service";
 import {
  getBrandingSettings,
  getDefaultOrg,
@@ -39,7 +39,7 @@ export default async function Page(props: {
  const organization = searchParams?.organization;

  const _headers = await headers();
-  const serviceUrl = getApiUrlOfHeaders(_headers);
+  const serviceUrl = getServiceUrlFromHeaders(_headers);

  let defaultOrganization;
  if (!organization) {
--- a/apps/login/src/app/(login)/authenticator/set/page.tsx
+++ b/apps/login/src/app/(login)/authenticator/set/page.tsx
@@ -5,7 +5,7 @@ import { DynamicTheme } from "@/components/dynamic-theme";
 import { SignInWithIdp } from "@/components/sign-in-with-idp";
 import { UserAvatar } from "@/components/user-avatar";
 import { getSessionCookieById } from "@/lib/cookies";
-import { getApiUrlOfHeaders } from "@/lib/service";
+import { getServiceUrlFromHeaders } from "@/lib/service";
 import { loadMostRecentSession } from "@/lib/session";
 import {
  getActiveIdentityProviders,
@@ -30,7 +30,7 @@ export default async function Page(props: {
  const { loginName, authRequestId, organization, sessionId } = searchParams;

  const _headers = await headers();
-  const serviceUrl = getApiUrlOfHeaders(_headers);
+  const serviceUrl = getServiceUrlFromHeaders(_headers);

  const sessionWithData = sessionId
    ? await loadSessionById(serviceUrl, sessionId, organization)
--- a/apps/login/src/app/(login)/idp/[provider]/failure/page.tsx
+++ b/apps/login/src/app/(login)/idp/[provider]/failure/page.tsx
@@ -1,5 +1,5 @@
 import { DynamicTheme } from "@/components/dynamic-theme";
-import { getApiUrlOfHeaders } from "@/lib/service";
+import { getServiceUrlFromHeaders } from "@/lib/service";
 import { getBrandingSettings } from "@/lib/zitadel";
 import { IdentityProviderType } from "@zitadel/proto/zitadel/settings/v2/login_settings_pb";
 import { getLocale, getTranslations } from "next-intl/server";
@@ -25,7 +25,7 @@ export default async function Page(props: {
  const { organization } = searchParams;

  const _headers = await headers();
-  const serviceUrl = getApiUrlOfHeaders(_headers);
+  const serviceUrl = getServiceUrlFromHeaders(_headers);

  const branding = await getBrandingSettings({ serviceUrl, organization });

--- a/apps/login/src/app/(login)/idp/[provider]/success/page.tsx
+++ b/apps/login/src/app/(login)/idp/[provider]/success/page.tsx
@@ -5,7 +5,7 @@ import { linkingSuccess } from "@/components/idps/pages/linking-success";
 import { loginFailed } from "@/components/idps/pages/login-failed";
 import { loginSuccess } from "@/components/idps/pages/login-success";
 import { idpTypeToIdentityProviderType, PROVIDER_MAPPING } from "@/lib/idp";
-import { getApiUrlOfHeaders } from "@/lib/service";
+import { getServiceUrlFromHeaders } from "@/lib/service";
 import {
  addHuman,
  addIDPLink,
@@ -40,7 +40,7 @@ export default async function Page(props: {
  const { provider } = params;

  const _headers = await headers();
-  const serviceUrl = getApiUrlOfHeaders(_headers);
+  const serviceUrl = getServiceUrlFromHeaders(_headers);

  const branding = await getBrandingSettings({ serviceUrl, organization });

--- a/apps/login/src/app/(login)/idp/page.tsx
+++ b/apps/login/src/app/(login)/idp/page.tsx
@@ -1,6 +1,6 @@
 import { DynamicTheme } from "@/components/dynamic-theme";
 import { SignInWithIdp } from "@/components/sign-in-with-idp";
-import { getApiUrlOfHeaders } from "@/lib/service";
+import { getServiceUrlFromHeaders } from "@/lib/service";
 import { getActiveIdentityProviders, getBrandingSettings } from "@/lib/zitadel";
 import { getLocale, getTranslations } from "next-intl/server";
 import { headers } from "next/headers";
@@ -16,7 +16,7 @@ export default async function Page(props: {
  const organization = searchParams?.organization;

  const _headers = await headers();
-  const serviceUrl = getApiUrlOfHeaders(_headers);
+  const serviceUrl = getServiceUrlFromHeaders(_headers);

  const identityProviders = await getActiveIdentityProviders({
    serviceUrl,
--- a/apps/login/src/app/(login)/invite/page.tsx
+++ b/apps/login/src/app/(login)/invite/page.tsx
@@ -1,7 +1,7 @@
 import { Alert, AlertType } from "@/components/alert";
 import { DynamicTheme } from "@/components/dynamic-theme";
 import { InviteForm } from "@/components/invite-form";
-import { getApiUrlOfHeaders } from "@/lib/service";
+import { getServiceUrlFromHeaders } from "@/lib/service";
 import {
  getBrandingSettings,
  getDefaultOrg,
@@ -21,7 +21,7 @@ export default async function Page(props: {
  let { firstname, lastname, email, organization } = searchParams;

  const _headers = await headers();
-  const serviceUrl = getApiUrlOfHeaders(_headers);
+  const serviceUrl = getServiceUrlFromHeaders(_headers);

  if (!organization) {
    const org = await getDefaultOrg({ serviceUrl });
--- a/apps/login/src/app/(login)/invite/success/page.tsx
+++ b/apps/login/src/app/(login)/invite/success/page.tsx
@@ -2,7 +2,7 @@ import { Alert, AlertType } from "@/components/alert";
 import { Button, ButtonVariants } from "@/components/button";
 import { DynamicTheme } from "@/components/dynamic-theme";
 import { UserAvatar } from "@/components/user-avatar";
-import { getApiUrlOfHeaders } from "@/lib/service";
+import { getServiceUrlFromHeaders } from "@/lib/service";
 import { getBrandingSettings, getDefaultOrg, getUserByID } from "@/lib/zitadel";
 import { HumanUser, User } from "@zitadel/proto/zitadel/user/v2/user_pb";
 import { getLocale, getTranslations } from "next-intl/server";
@@ -19,7 +19,7 @@ export default async function Page(props: {
  let { userId, organization } = searchParams;

  const _headers = await headers();
-  const serviceUrl = getApiUrlOfHeaders(_headers);
+  const serviceUrl = getServiceUrlFromHeaders(_headers);

  if (!organization) {
    const org = await getDefaultOrg({ serviceUrl });
--- a/apps/login/src/app/(login)/loginname/page.tsx
+++ b/apps/login/src/app/(login)/loginname/page.tsx
@@ -1,7 +1,7 @@
 import { DynamicTheme } from "@/components/dynamic-theme";
 import { SignInWithIdp } from "@/components/sign-in-with-idp";
 import { UsernameForm } from "@/components/username-form";
-import { getApiUrlOfHeaders } from "@/lib/service";
+import { getServiceUrlFromHeaders } from "@/lib/service";
 import {
  getActiveIdentityProviders,
  getBrandingSettings,
@@ -26,7 +26,7 @@ export default async function Page(props: {
  const submit: boolean = searchParams?.submit === "true";

  const _headers = await headers();
-  const serviceUrl = getApiUrlOfHeaders(_headers);
+  const serviceUrl = getServiceUrlFromHeaders(_headers);

  let defaultOrganization;
  if (!organization) {
--- a/apps/login/src/app/(login)/mfa/page.tsx
+++ b/apps/login/src/app/(login)/mfa/page.tsx
@@ -4,7 +4,7 @@ import { ChooseSecondFactor } from "@/components/choose-second-factor";
 import { DynamicTheme } from "@/components/dynamic-theme";
 import { UserAvatar } from "@/components/user-avatar";
 import { getSessionCookieById } from "@/lib/cookies";
-import { getApiUrlOfHeaders } from "@/lib/service";
+import { getServiceUrlFromHeaders } from "@/lib/service";
 import { loadMostRecentSession } from "@/lib/session";
 import {
  getBrandingSettings,
@@ -25,7 +25,7 @@ export default async function Page(props: {
  const { loginName, authRequestId, organization, sessionId } = searchParams;

  const _headers = await headers();
-  const serviceUrl = getApiUrlOfHeaders(_headers);
+  const serviceUrl = getServiceUrlFromHeaders(_headers);

  const sessionFactors = sessionId
    ? await loadSessionById(serviceUrl, sessionId, organization)
--- a/apps/login/src/app/(login)/mfa/set/page.tsx
+++ b/apps/login/src/app/(login)/mfa/set/page.tsx
@@ -4,7 +4,7 @@ import { ChooseSecondFactorToSetup } from "@/components/choose-second-factor-to-
 import { DynamicTheme } from "@/components/dynamic-theme";
 import { UserAvatar } from "@/components/user-avatar";
 import { getSessionCookieById } from "@/lib/cookies";
-import { getApiUrlOfHeaders } from "@/lib/service";
+import { getServiceUrlFromHeaders } from "@/lib/service";
 import { loadMostRecentSession } from "@/lib/session";
 import {
  getBrandingSettings,
@@ -52,7 +52,7 @@ export default async function Page(props: {
  } = searchParams;

  const _headers = await headers();
-  const serviceUrl = getApiUrlOfHeaders(_headers);
+  const serviceUrl = getServiceUrlFromHeaders(_headers);

  const sessionWithData = sessionId
    ? await loadSessionById(serviceUrl, sessionId, organization)
--- a/apps/login/src/app/(login)/otp/[method]/page.tsx
+++ b/apps/login/src/app/(login)/otp/[method]/page.tsx
@@ -3,7 +3,7 @@ import { DynamicTheme } from "@/components/dynamic-theme";
 import { LoginOTP } from "@/components/login-otp";
 import { UserAvatar } from "@/components/user-avatar";
 import { getSessionCookieById } from "@/lib/cookies";
-import { getApiUrlOfHeaders } from "@/lib/service";
+import { getServiceUrlFromHeaders } from "@/lib/service";
 import { loadMostRecentSession } from "@/lib/session";
 import {
  getBrandingSettings,
@@ -24,7 +24,7 @@ export default async function Page(props: {
  const tError = await getTranslations({ locale, namespace: "error" });

  const _headers = await headers();
-  const serviceUrl = getApiUrlOfHeaders(_headers);
+  const serviceUrl = getServiceUrlFromHeaders(_headers);
  const host = _headers.get("host");

  if (!host || typeof host !== "string") {
--- a/apps/login/src/app/(login)/otp/[method]/set/page.tsx
+++ b/apps/login/src/app/(login)/otp/[method]/set/page.tsx
@@ -4,7 +4,7 @@ import { Button, ButtonVariants } from "@/components/button";
 import { DynamicTheme } from "@/components/dynamic-theme";
 import { TotpRegister } from "@/components/totp-register";
 import { UserAvatar } from "@/components/user-avatar";
-import { getApiUrlOfHeaders } from "@/lib/service";
+import { getServiceUrlFromHeaders } from "@/lib/service";
 import { loadMostRecentSession } from "@/lib/session";
 import {
  addOTPEmail,
@@ -34,7 +34,7 @@ export default async function Page(props: {
  const { method } = params;

  const _headers = await headers();
-  const serviceUrl = getApiUrlOfHeaders(_headers);
+  const serviceUrl = getServiceUrlFromHeaders(_headers);

  const branding = await getBrandingSettings({ serviceUrl, organization });
  const loginSettings = await getLoginSettings({ serviceUrl, organization });
--- a/apps/login/src/app/(login)/passkey/page.tsx
+++ b/apps/login/src/app/(login)/passkey/page.tsx
@@ -3,7 +3,7 @@ import { DynamicTheme } from "@/components/dynamic-theme";
 import { LoginPasskey } from "@/components/login-passkey";
 import { UserAvatar } from "@/components/user-avatar";
 import { getSessionCookieById } from "@/lib/cookies";
-import { getApiUrlOfHeaders } from "@/lib/service";
+import { getServiceUrlFromHeaders } from "@/lib/service";
 import { loadMostRecentSession } from "@/lib/session";
 import {
  getBrandingSettings,
@@ -25,7 +25,7 @@ export default async function Page(props: {
    searchParams;

  const _headers = await headers();
-  const serviceUrl = getApiUrlOfHeaders(_headers);
+  const serviceUrl = getServiceUrlFromHeaders(_headers);

  const sessionFactors = sessionId
    ? await loadSessionById(serviceUrl, sessionId, organization)
--- a/apps/login/src/app/(login)/passkey/set/page.tsx
+++ b/apps/login/src/app/(login)/passkey/set/page.tsx
@@ -2,7 +2,7 @@ import { Alert, AlertType } from "@/components/alert";
 import { DynamicTheme } from "@/components/dynamic-theme";
 import { RegisterPasskey } from "@/components/register-passkey";
 import { UserAvatar } from "@/components/user-avatar";
-import { getApiUrlOfHeaders } from "@/lib/service";
+import { getServiceUrlFromHeaders } from "@/lib/service";
 import { loadMostRecentSession } from "@/lib/session";
 import { getBrandingSettings } from "@/lib/zitadel";
 import { getLocale, getTranslations } from "next-intl/server";
@@ -20,7 +20,7 @@ export default async function Page(props: {
    searchParams;

  const _headers = await headers();
-  const serviceUrl = getApiUrlOfHeaders(_headers);
+  const serviceUrl = getServiceUrlFromHeaders(_headers);

  const session = await loadMostRecentSession({
    serviceUrl,
--- a/apps/login/src/app/(login)/password/change/page.tsx
+++ b/apps/login/src/app/(login)/password/change/page.tsx
@@ -2,7 +2,7 @@ import { Alert } from "@/components/alert";
 import { ChangePasswordForm } from "@/components/change-password-form";
 import { DynamicTheme } from "@/components/dynamic-theme";
 import { UserAvatar } from "@/components/user-avatar";
-import { getApiUrlOfHeaders } from "@/lib/service";
+import { getServiceUrlFromHeaders } from "@/lib/service";
 import { loadMostRecentSession } from "@/lib/session";
 import {
  getBrandingSettings,
@@ -16,7 +16,7 @@ export default async function Page(props: {
  searchParams: Promise<Record<string | number | symbol, string | undefined>>;
 }) {
  const _headers = await headers();
-  const serviceUrl = getApiUrlOfHeaders(_headers);
+  const serviceUrl = getServiceUrlFromHeaders(_headers);

  const searchParams = await props.searchParams;
  const locale = getLocale();
--- a/apps/login/src/app/(login)/password/page.tsx
+++ b/apps/login/src/app/(login)/password/page.tsx
@@ -2,7 +2,7 @@ import { Alert } from "@/components/alert";
 import { DynamicTheme } from "@/components/dynamic-theme";
 import { PasswordForm } from "@/components/password-form";
 import { UserAvatar } from "@/components/user-avatar";
-import { getApiUrlOfHeaders } from "@/lib/service";
+import { getServiceUrlFromHeaders } from "@/lib/service";
 import { loadMostRecentSession } from "@/lib/session";
 import {
  getBrandingSettings,
@@ -25,7 +25,7 @@ export default async function Page(props: {
  let { loginName, organization, authRequestId, alt } = searchParams;

  const _headers = await headers();
-  const serviceUrl = getApiUrlOfHeaders(_headers);
+  const serviceUrl = getServiceUrlFromHeaders(_headers);

  let defaultOrganization;
  if (!organization) {
--- a/apps/login/src/app/(login)/password/set/page.tsx
+++ b/apps/login/src/app/(login)/password/set/page.tsx
@@ -2,7 +2,7 @@ import { Alert, AlertType } from "@/components/alert";
 import { DynamicTheme } from "@/components/dynamic-theme";
 import { SetPasswordForm } from "@/components/set-password-form";
 import { UserAvatar } from "@/components/user-avatar";
-import { getApiUrlOfHeaders } from "@/lib/service";
+import { getServiceUrlFromHeaders } from "@/lib/service";
 import { loadMostRecentSession } from "@/lib/session";
 import {
  getBrandingSettings,
@@ -27,7 +27,7 @@ export default async function Page(props: {
    searchParams;

  const _headers = await headers();
-  const serviceUrl = getApiUrlOfHeaders(_headers);
+  const serviceUrl = getServiceUrlFromHeaders(_headers);

  // also allow no session to be found (ignoreUnkownUsername)
  let session: Session | undefined;
--- a/apps/login/src/app/(login)/register/page.tsx
+++ b/apps/login/src/app/(login)/register/page.tsx
@@ -1,6 +1,6 @@
 import { DynamicTheme } from "@/components/dynamic-theme";
 import { RegisterForm } from "@/components/register-form";
-import { getApiUrlOfHeaders } from "@/lib/service";
+import { getServiceUrlFromHeaders } from "@/lib/service";
 import {
  getBrandingSettings,
  getDefaultOrg,
@@ -23,7 +23,7 @@ export default async function Page(props: {
    searchParams;

  const _headers = await headers();
-  const serviceUrl = getApiUrlOfHeaders(_headers);
+  const serviceUrl = getServiceUrlFromHeaders(_headers);

  if (!organization) {
    const org: Organization | null = await getDefaultOrg({ serviceUrl });
--- a/apps/login/src/app/(login)/register/password/page.tsx
+++ b/apps/login/src/app/(login)/register/password/page.tsx
@@ -1,6 +1,6 @@
 import { DynamicTheme } from "@/components/dynamic-theme";
 import { SetRegisterPasswordForm } from "@/components/set-register-password-form";
-import { getApiUrlOfHeaders } from "@/lib/service";
+import { getServiceUrlFromHeaders } from "@/lib/service";
 import {
  getBrandingSettings,
  getDefaultOrg,
@@ -23,7 +23,7 @@ export default async function Page(props: {
    searchParams;

  const _headers = await headers();
-  const serviceUrl = getApiUrlOfHeaders(_headers);
+  const serviceUrl = getServiceUrlFromHeaders(_headers);

  if (!organization) {
    const org: Organization | null = await getDefaultOrg({ serviceUrl });
--- a/apps/login/src/app/(login)/signedin/page.tsx
+++ b/apps/login/src/app/(login)/signedin/page.tsx
@@ -3,7 +3,7 @@ import { DynamicTheme } from "@/components/dynamic-theme";
 import { SelfServiceMenu } from "@/components/self-service-menu";
 import { UserAvatar } from "@/components/user-avatar";
 import { getMostRecentCookieWithLoginname } from "@/lib/cookies";
-import { getApiUrlOfHeaders } from "@/lib/service";
+import { getServiceUrlFromHeaders } from "@/lib/service";
 import {
  createCallback,
  getBrandingSettings,
@@ -61,7 +61,7 @@ export default async function Page(props: { searchParams: Promise<any> }) {
  const t = await getTranslations({ locale, namespace: "signedin" });

  const _headers = await headers();
-  const serviceUrl = getApiUrlOfHeaders(_headers);
+  const serviceUrl = getServiceUrlFromHeaders(_headers);

  const { loginName, authRequestId, organization } = searchParams;
  const sessionFactors = await loadSession(
--- a/apps/login/src/app/(login)/u2f/page.tsx
+++ b/apps/login/src/app/(login)/u2f/page.tsx
@@ -3,7 +3,7 @@ import { DynamicTheme } from "@/components/dynamic-theme";
 import { LoginPasskey } from "@/components/login-passkey";
 import { UserAvatar } from "@/components/user-avatar";
 import { getSessionCookieById } from "@/lib/cookies";
-import { getApiUrlOfHeaders } from "@/lib/service";
+import { getServiceUrlFromHeaders } from "@/lib/service";
 import { loadMostRecentSession } from "@/lib/session";
 import { getBrandingSettings, getSession } from "@/lib/zitadel";
 import { getLocale, getTranslations } from "next-intl/server";
@@ -20,7 +20,7 @@ export default async function Page(props: {
  const { loginName, authRequestId, sessionId, organization } = searchParams;

  const _headers = await headers();
-  const serviceUrl = getApiUrlOfHeaders(_headers);
+  const serviceUrl = getServiceUrlFromHeaders(_headers);
  const host = _headers.get("host");

  if (!host || typeof host !== "string") {
--- a/apps/login/src/app/(login)/u2f/set/page.tsx
+++ b/apps/login/src/app/(login)/u2f/set/page.tsx
@@ -2,7 +2,7 @@ import { Alert } from "@/components/alert";
 import { DynamicTheme } from "@/components/dynamic-theme";
 import { RegisterU2f } from "@/components/register-u2f";
 import { UserAvatar } from "@/components/user-avatar";
-import { getApiUrlOfHeaders } from "@/lib/service";
+import { getServiceUrlFromHeaders } from "@/lib/service";
 import { loadMostRecentSession } from "@/lib/session";
 import { getBrandingSettings } from "@/lib/zitadel";
 import { getLocale, getTranslations } from "next-intl/server";
@@ -19,7 +19,7 @@ export default async function Page(props: {
  const { loginName, organization, authRequestId, checkAfter } = searchParams;

  const _headers = await headers();
-  const serviceUrl = getApiUrlOfHeaders(_headers);
+  const serviceUrl = getServiceUrlFromHeaders(_headers);

  const sessionFactors = await loadMostRecentSession({
    serviceUrl,
--- a/apps/login/src/app/(login)/verify/page.tsx
+++ b/apps/login/src/app/(login)/verify/page.tsx
@@ -4,7 +4,7 @@ import { UserAvatar } from "@/components/user-avatar";
 import { VerifyForm } from "@/components/verify-form";
 import { VerifyRedirectButton } from "@/components/verify-redirect-button";
 import { sendEmailCode } from "@/lib/server/verify";
-import { getApiUrlOfHeaders } from "@/lib/service";
+import { getServiceUrlFromHeaders } from "@/lib/service";
 import { loadMostRecentSession } from "@/lib/session";
 import {
  getBrandingSettings,
@@ -26,7 +26,7 @@ export default async function Page(props: { searchParams: Promise<any> }) {
    searchParams;

  const _headers = await headers();
-  const serviceUrl = getApiUrlOfHeaders(_headers);
+  const serviceUrl = getServiceUrlFromHeaders(_headers);
  const host = _headers.get("host");

  if (!host || typeof host !== "string") {
--- a/apps/login/src/app/login/route.ts
+++ b/apps/login/src/app/login/route.ts
@@ -1,7 +1,7 @@
 import { getAllSessions } from "@/lib/cookies";
 import { idpTypeToSlug } from "@/lib/idp";
 import { sendLoginname, SendLoginnameCommand } from "@/lib/server/loginname";
-import { getApiUrlOfHeaders } from "@/lib/service";
+import { getServiceUrlFromHeaders } from "@/lib/service";
 import {
  createCallback,
  getActiveIdentityProviders,
@@ -199,7 +199,7 @@ export async function GET(request: NextRequest) {
  const sessionId = searchParams.get("sessionId");

  const _headers = await headers();
-  const serviceUrl = getApiUrlOfHeaders(_headers);
+  const serviceUrl = getServiceUrlFromHeaders(_headers);

  // TODO: find a better way to handle _rsc (react server components) requests and block them to avoid conflicts when creating oidc callback
  const _rsc = searchParams.get("_rsc");
--- a/apps/login/src/lib/self.ts
+++ b/apps/login/src/lib/self.ts
@@ -4,7 +4,7 @@ import { createServerTransport } from "@zitadel/client/node";
 import { createUserServiceClient } from "@zitadel/client/v2";
 import { headers } from "next/headers";
 import { getSessionCookieById } from "./cookies";
-import { getApiUrlOfHeaders } from "./service";
+import { getServiceUrlFromHeaders } from "./service";
 import { getSession } from "./zitadel";

 const transport = async (serviceUrl: string, token: string) => {
@@ -26,7 +26,7 @@ export async function setMyPassword({
  password: string;
 }) {
  const _headers = await headers();
-  const serviceUrl = getApiUrlOfHeaders(_headers);
+  const serviceUrl = getServiceUrlFromHeaders(_headers);

  const sessionCookie = await getSessionCookieById({ sessionId });

--- a/apps/login/src/lib/server/cookie.ts
+++ b/apps/login/src/lib/server/cookie.ts
@@ -15,7 +15,7 @@ import {
 import { Session } from "@zitadel/proto/zitadel/session/v2/session_pb";
 import { Checks } from "@zitadel/proto/zitadel/session/v2/session_service_pb";
 import { headers } from "next/headers";
-import { getApiUrlOfHeaders } from "../service";
+import { getServiceUrlFromHeaders } from "../service";

 type CustomCookieData = {
  id: string;
@@ -35,7 +35,7 @@ export async function createSessionAndUpdateCookie(
  lifetime?: Duration,
 ): Promise<Session> {
  const _headers = await headers();
-  const serviceUrl = getApiUrlOfHeaders(_headers);
+  const serviceUrl = getServiceUrlFromHeaders(_headers);

  const createdSession = await createSessionFromChecks({
    serviceUrl,
@@ -97,7 +97,7 @@ export async function createSessionForIdpAndUpdateCookie(
  lifetime?: Duration,
 ): Promise<Session> {
  const _headers = await headers();
-  const serviceUrl = getApiUrlOfHeaders(_headers);
+  const serviceUrl = getServiceUrlFromHeaders(_headers);

  const createdSession = await createSessionForUserIdAndIdpIntent({
    serviceUrl,
@@ -159,7 +159,7 @@ export async function setSessionAndUpdateCookie(
  lifetime?: Duration,
 ) {
  const _headers = await headers();
-  const serviceUrl = getApiUrlOfHeaders(_headers);
+  const serviceUrl = getServiceUrlFromHeaders(_headers);

  return setSession({
    serviceUrl,
--- a/apps/login/src/lib/server/idp.ts
+++ b/apps/login/src/lib/server/idp.ts
@@ -7,7 +7,7 @@ import {
 } from "@/lib/zitadel";
 import { headers } from "next/headers";
 import { getNextUrl } from "../client";
-import { getApiUrlOfHeaders } from "../service";
+import { getServiceUrlFromHeaders } from "../service";
 import { checkEmailVerification } from "../verify-helper";
 import { createSessionForIdpAndUpdateCookie } from "./cookie";

@@ -19,7 +19,7 @@ export type StartIDPFlowCommand = {

 export async function startIDPFlow(command: StartIDPFlowCommand) {
  const _headers = await headers();
-  const serviceUrl = getApiUrlOfHeaders(_headers);
+  const serviceUrl = getServiceUrlFromHeaders(_headers);
  const host = _headers.get("host");

  if (!host) {
@@ -60,7 +60,7 @@ export async function createNewSessionFromIdpIntent(
  command: CreateNewSessionCommand,
 ) {
  const _headers = await headers();
-  const serviceUrl = getApiUrlOfHeaders(_headers);
+  const serviceUrl = getServiceUrlFromHeaders(_headers);
  const host = _headers.get("host");

  if (!host) {
--- a/apps/login/src/lib/server/invite.ts
+++ b/apps/login/src/lib/server/invite.ts
@@ -3,7 +3,7 @@
 import { addHumanUser, createInviteCode } from "@/lib/zitadel";
 import { Factors } from "@zitadel/proto/zitadel/session/v2/session_pb";
 import { headers } from "next/headers";
-import { getApiUrlOfHeaders } from "../service";
+import { getServiceUrlFromHeaders } from "../service";

 type InviteUserCommand = {
  email: string;
@@ -22,7 +22,7 @@ export type RegisterUserResponse = {

 export async function inviteUser(command: InviteUserCommand) {
  const _headers = await headers();
-  const serviceUrl = getApiUrlOfHeaders(_headers);
+  const serviceUrl = getServiceUrlFromHeaders(_headers);
  const host = _headers.get("host");

  if (!host) {
--- a/apps/login/src/lib/server/loginname.ts
+++ b/apps/login/src/lib/server/loginname.ts
@@ -8,7 +8,7 @@ import { idpTypeToIdentityProviderType, idpTypeToSlug } from "../idp";

 import { PasskeysType } from "@zitadel/proto/zitadel/settings/v2/login_settings_pb";
 import { UserState } from "@zitadel/proto/zitadel/user/v2/user_pb";
-import { getApiUrlOfHeaders } from "../service";
+import { getServiceUrlFromHeaders } from "../service";
 import { checkInvite } from "../verify-helper";
 import {
  getActiveIdentityProviders,
@@ -34,7 +34,7 @@ const ORG_SUFFIX_REGEX = /(?<=@)(.+)/;

 export async function sendLoginname(command: SendLoginnameCommand) {
  const _headers = await headers();
-  const serviceUrl = getApiUrlOfHeaders(_headers);
+  const serviceUrl = getServiceUrlFromHeaders(_headers);
  const host = _headers.get("host");

  if (!host) {
@@ -80,7 +80,7 @@ export async function sendLoginname(command: SendLoginnameCommand) {

    if (identityProviders.length === 1) {
      const _headers = await headers();
-      const serviceUrl = getApiUrlOfHeaders(_headers);
+      const serviceUrl = getServiceUrlFromHeaders(_headers);
      const host = _headers.get("host");

      if (!host) {
@@ -129,7 +129,7 @@ export async function sendLoginname(command: SendLoginnameCommand) {

    if (identityProviders.length === 1) {
      const _headers = await headers();
-      const serviceUrl = getApiUrlOfHeaders(_headers);
+      const serviceUrl = getServiceUrlFromHeaders(_headers);
      const host = _headers.get("host");

      if (!host) {
--- a/apps/login/src/lib/server/otp.ts
+++ b/apps/login/src/lib/server/otp.ts
@@ -13,7 +13,7 @@ import {
  getSessionCookieById,
  getSessionCookieByLoginName,
 } from "../cookies";
-import { getApiUrlOfHeaders } from "../service";
+import { getServiceUrlFromHeaders } from "../service";
 import { getLoginSettings } from "../zitadel";

 export type SetOTPCommand = {
@@ -27,7 +27,7 @@ export type SetOTPCommand = {

 export async function setOTP(command: SetOTPCommand) {
  const _headers = await headers();
-  const serviceUrl = getApiUrlOfHeaders(_headers);
+  const serviceUrl = getServiceUrlFromHeaders(_headers);

  const recentSession = command.sessionId
    ? await getSessionCookieById({ sessionId: command.sessionId }).catch(
--- a/apps/login/src/lib/server/passkeys.ts
+++ b/apps/login/src/lib/server/passkeys.ts
@@ -22,7 +22,7 @@ import {
  getSessionCookieById,
  getSessionCookieByLoginName,
 } from "../cookies";
-import { getApiUrlOfHeaders } from "../service";
+import { getServiceUrlFromHeaders } from "../service";
 import { checkEmailVerification } from "../verify-helper";
 import { setSessionAndUpdateCookie } from "./cookie";

@@ -43,7 +43,7 @@ export async function registerPasskeyLink(
  const { sessionId } = command;

  const _headers = await headers();
-  const serviceUrl = getApiUrlOfHeaders(_headers);
+  const serviceUrl = getServiceUrlFromHeaders(_headers);
  const host = _headers.get("host");

  if (!host) {
@@ -90,7 +90,7 @@ export async function registerPasskeyLink(

 export async function verifyPasskeyRegistration(command: VerifyPasskeyCommand) {
  const _headers = await headers();
-  const serviceUrl = getApiUrlOfHeaders(_headers);
+  const serviceUrl = getServiceUrlFromHeaders(_headers);

  // if no name is provided, try to generate one from the user agent
  let passkeyName = command.passkeyName;
@@ -153,7 +153,7 @@ export async function sendPasskey(command: SendPasskeyCommand) {
  }

  const _headers = await headers();
-  const serviceUrl = getApiUrlOfHeaders(_headers);
+  const serviceUrl = getServiceUrlFromHeaders(_headers);

  const loginSettings = await getLoginSettings({ serviceUrl, organization });

--- a/apps/login/src/lib/server/password.ts
+++ b/apps/login/src/lib/server/password.ts
@@ -30,7 +30,7 @@ import {
 import { headers } from "next/headers";
 import { getNextUrl } from "../client";
 import { getSessionCookieById, getSessionCookieByLoginName } from "../cookies";
-import { getApiUrlOfHeaders } from "../service";
+import { getServiceUrlFromHeaders } from "../service";
 import {
  checkEmailVerification,
  checkMFAFactors,
@@ -45,7 +45,7 @@ type ResetPasswordCommand = {

 export async function resetPassword(command: ResetPasswordCommand) {
  const _headers = await headers();
-  const serviceUrl = getApiUrlOfHeaders(_headers);
+  const serviceUrl = getServiceUrlFromHeaders(_headers);
  const host = _headers.get("host");

  if (!host || typeof host !== "string") {
@@ -85,7 +85,7 @@ export type UpdateSessionCommand = {

 export async function sendPassword(command: UpdateSessionCommand) {
  const _headers = await headers();
-  const serviceUrl = getApiUrlOfHeaders(_headers);
+  const serviceUrl = getServiceUrlFromHeaders(_headers);

  let sessionCookie = await getSessionCookieByLoginName({
    loginName: command.loginName,
@@ -255,7 +255,7 @@ export async function changePassword(command: {
  password: string;
 }) {
  const _headers = await headers();
-  const serviceUrl = getApiUrlOfHeaders(_headers);
+  const serviceUrl = getServiceUrlFromHeaders(_headers);

  // check for init state
  const { user } = await getUserByID({ serviceUrl, userId: command.userId });
@@ -284,7 +284,7 @@ export async function checkSessionAndSetPassword({
  password,
 }: CheckSessionAndSetPasswordCommand) {
  const _headers = await headers();
-  const serviceUrl = getApiUrlOfHeaders(_headers);
+  const serviceUrl = getServiceUrlFromHeaders(_headers);

  const sessionCookie = await getSessionCookieById({ sessionId });

--- a/apps/login/src/lib/server/register.ts
+++ b/apps/login/src/lib/server/register.ts
@@ -10,7 +10,7 @@ import {
 } from "@zitadel/proto/zitadel/session/v2/session_service_pb";
 import { headers } from "next/headers";
 import { getNextUrl } from "../client";
-import { getApiUrlOfHeaders } from "../service";
+import { getServiceUrlFromHeaders } from "../service";
 import { checkEmailVerification } from "../verify-helper";

 type RegisterUserCommand = {
@@ -29,7 +29,7 @@ export type RegisterUserResponse = {
 };
 export async function registerUser(command: RegisterUserCommand) {
  const _headers = await headers();
-  const serviceUrl = getApiUrlOfHeaders(_headers);
+  const serviceUrl = getServiceUrlFromHeaders(_headers);
  const host = _headers.get("host");

  if (!host || typeof host !== "string") {
--- a/apps/login/src/lib/server/session.ts
+++ b/apps/login/src/lib/server/session.ts
@@ -18,14 +18,14 @@ import {
  getSessionCookieByLoginName,
  removeSessionFromCookie,
 } from "../cookies";
-import { getApiUrlOfHeaders } from "../service";
+import { getServiceUrlFromHeaders } from "../service";

 export async function continueWithSession({
  authRequestId,
  ...session
 }: Session & { authRequestId?: string }) {
  const _headers = await headers();
-  const serviceUrl = getApiUrlOfHeaders(_headers);
+  const serviceUrl = getServiceUrlFromHeaders(_headers);

  const loginSettings = await getLoginSettings({
    serviceUrl,
@@ -88,7 +88,7 @@ export async function updateSession(options: UpdateSessionCommand) {
  }

  const _headers = await headers();
-  const serviceUrl = getApiUrlOfHeaders(_headers);
+  const serviceUrl = getServiceUrlFromHeaders(_headers);
  const host = _headers.get("host");

  if (!host) {
@@ -152,7 +152,7 @@ type ClearSessionOptions = {

 export async function clearSession(options: ClearSessionOptions) {
  const _headers = await headers();
-  const serviceUrl = getApiUrlOfHeaders(_headers);
+  const serviceUrl = getServiceUrlFromHeaders(_headers);

  const { sessionId } = options;

@@ -175,7 +175,7 @@ type CleanupSessionCommand = {

 export async function cleanupSession({ sessionId }: CleanupSessionCommand) {
  const _headers = await headers();
-  const serviceUrl = getApiUrlOfHeaders(_headers);
+  const serviceUrl = getServiceUrlFromHeaders(_headers);

  const sessionCookie = await getSessionCookieById({ sessionId });

--- a/apps/login/src/lib/server/u2f.ts
+++ b/apps/login/src/lib/server/u2f.ts
@@ -6,7 +6,7 @@ import { VerifyU2FRegistrationRequestSchema } from "@zitadel/proto/zitadel/user/
 import { headers } from "next/headers";
 import { userAgent } from "next/server";
 import { getSessionCookieById } from "../cookies";
-import { getApiUrlOfHeaders } from "../service";
+import { getServiceUrlFromHeaders } from "../service";

 type RegisterU2FCommand = {
  sessionId: string;
@@ -21,7 +21,7 @@ type VerifyU2FCommand = {

 export async function addU2F(command: RegisterU2FCommand) {
  const _headers = await headers();
-  const serviceUrl = getApiUrlOfHeaders(_headers);
+  const serviceUrl = getServiceUrlFromHeaders(_headers);
  const host = _headers.get("host");

  if (!host || typeof host !== "string") {
@@ -59,7 +59,7 @@ export async function addU2F(command: RegisterU2FCommand) {

 export async function verifyU2F(command: VerifyU2FCommand) {
  const _headers = await headers();
-  const serviceUrl = getApiUrlOfHeaders(_headers);
+  const serviceUrl = getServiceUrlFromHeaders(_headers);
  const host = _headers.get("host");

  if (!host || typeof host !== "string") {
--- a/apps/login/src/lib/server/verify.ts
+++ b/apps/login/src/lib/server/verify.ts
@@ -19,7 +19,7 @@ import { User } from "@zitadel/proto/zitadel/user/v2/user_pb";
 import { headers } from "next/headers";
 import { getNextUrl } from "../client";
 import { getSessionCookieByLoginName } from "../cookies";
-import { getApiUrlOfHeaders } from "../service";
+import { getServiceUrlFromHeaders } from "../service";
 import { loadMostRecentSession } from "../session";
 import { checkMFAFactors } from "../verify-helper";
 import { createSessionAndUpdateCookie } from "./cookie";
@@ -30,7 +30,7 @@ export async function verifyTOTP(
  organization?: string,
 ) {
  const _headers = await headers();
-  const serviceUrl = getApiUrlOfHeaders(_headers);
+  const serviceUrl = getServiceUrlFromHeaders(_headers);

  return loadMostRecentSession({
    serviceUrl,
@@ -62,7 +62,7 @@ type VerifyUserByEmailCommand = {

 export async function sendVerification(command: VerifyUserByEmailCommand) {
  const _headers = await headers();
-  const serviceUrl = getApiUrlOfHeaders(_headers);
+  const serviceUrl = getServiceUrlFromHeaders(_headers);

  const verifyResponse = command.isInvite
    ? await verifyInviteCode({
@@ -244,7 +244,7 @@ type resendVerifyEmailCommand = {

 export async function resendVerification(command: resendVerifyEmailCommand) {
  const _headers = await headers();
-  const serviceUrl = getApiUrlOfHeaders(_headers);
+  const serviceUrl = getServiceUrlFromHeaders(_headers);
  const host = _headers.get("host");

  if (!host) {
@@ -290,7 +290,7 @@ export async function sendVerificationRedirectWithoutCheck(
  command: SendVerificationRedirectWithoutCheckCommand,
 ) {
  const _headers = await headers();
-  const serviceUrl = getApiUrlOfHeaders(_headers);
+  const serviceUrl = getServiceUrlFromHeaders(_headers);

  if (!("loginName" in command || "userId" in command)) {
    return { error: "No userId, nor loginname provided" };
--- a/apps/login/src/lib/service.ts
+++ b/apps/login/src/lib/service.ts
@@ -34,9 +34,10 @@ export async function createServiceForHost<T extends ServiceClass>(
  return createClientFor<T>(service)(transport);
 }

-export function getApiUrlOfHeaders(headers: ReadonlyHeaders): string {
+export function getServiceUrlFromHeaders(headers: ReadonlyHeaders): string {
  let instanceUrl: string = process.env.ZITADEL_API_URL;

+  // use the forwarded host if available (multitenant), otherwise fall back to the host of the deployment itself
  if (headers.get("x-zitadel-forward-host")) {
    instanceUrl = headers.get("x-zitadel-forward-host") as string;
    instanceUrl = instanceUrl.startsWith("https://")
--- a/apps/login/src/middleware.ts
+++ b/apps/login/src/middleware.ts
@@ -1,6 +1,6 @@
 import { headers } from "next/headers";
 import { NextRequest, NextResponse } from "next/server";
-import { getApiUrlOfHeaders } from "./lib/service";
+import { getServiceUrlFromHeaders } from "./lib/service";

 export const config = {
  matcher: [
@@ -13,16 +13,17 @@ export const config = {

 export async function middleware(request: NextRequest) {
  // escape proxy if the environment is setup for multitenancy
-  // if (
-  //   !process.env.ZITADEL_API_URL ||
-  //   !process.env.ZITADEL_USER_ID ||
-  //   !process.env.ZITADEL_USER_TOKEN
-  // ) {
-  //   return NextResponse.next();
-  // }
+  if (
+    !process.env.ZITADEL_API_URL ||
+    !process.env.ZITADEL_USER_ID ||
+    !process.env.ZITADEL_USER_TOKEN
+  ) {
+    return NextResponse.next();
+  }
+
  const _headers = await headers();

-  const serviceUrl = getApiUrlOfHeaders(_headers);
+  const serviceUrl = getServiceUrlFromHeaders(_headers);

  const instanceHost = `${serviceUrl}`.replace("https://", "");