fix: respect x-zitadel-forwarded header again (#8473)

# Which Problems Are Solved

#8369 added the possibility to handle trusted domains for public hosts
as response. Additionally, the OIDC issuer is extracted from the
`DomainContext` and not from headers anymore.
This accidentally dropped support for the `x-zitadel-forwarded`.

# How the Problems Are Solved

Added `x-zitadel-forwarded` in the list of additionally handled headers.

# Additional Changes

None

# Additional Context

- relates to #8369
- reported in Discord:
https://discord.com/channels/927474939156643850/1275484169626980403

internal/api/http/header.go

@@ -8,28 +8,29 @@ import (
 )
 
 const (
-	Authorization   = "authorization"
+	Authorization    = "authorization"
-	Accept          = "accept"
+	Accept           = "accept"
-	AcceptLanguage  = "accept-language"
+	AcceptLanguage   = "accept-language"
-	CacheControl    = "cache-control"
+	CacheControl     = "cache-control"
-	ContentType     = "content-type"
+	ContentType      = "content-type"
-	ContentLength   = "content-length"
+	ContentLength    = "content-length"
-	Expires         = "expires"
+	Expires          = "expires"
-	Location        = "location"
+	Location         = "location"
-	Origin          = "origin"
+	Origin           = "origin"
-	Pragma          = "pragma"
+	Pragma           = "pragma"
-	UserAgentHeader = "user-agent"
+	UserAgentHeader  = "user-agent"
-	ForwardedFor    = "x-forwarded-for"
+	ForwardedFor     = "x-forwarded-for"
-	ForwardedHost   = "x-forwarded-host"
+	ForwardedHost    = "x-forwarded-host"
-	ForwardedProto  = "x-forwarded-proto"
+	ForwardedProto   = "x-forwarded-proto"
-	Forwarded       = "forwarded"
+	Forwarded        = "forwarded"
-	XUserAgent      = "x-user-agent"
+	ZitadelForwarded = "x-zitadel-forwarded"
-	XGrpcWeb        = "x-grpc-web"
+	XUserAgent       = "x-user-agent"
-	XRequestedWith  = "x-requested-with"
+	XGrpcWeb         = "x-grpc-web"
-	XRobotsTag      = "x-robots-tag"
+	XRequestedWith   = "x-requested-with"
-	IfNoneMatch     = "If-None-Match"
+	XRobotsTag       = "x-robots-tag"
-	LastModified    = "Last-Modified"
+	IfNoneMatch      = "If-None-Match"
-	Etag            = "Etag"
+	LastModified     = "Last-Modified"
+	Etag             = "Etag"
 
 	ContentSecurityPolicy   = "content-security-policy"
 	XXSSProtection          = "x-xss-protection"

internal/api/http/middleware/origin_interceptor.go

@@ -17,7 +17,7 @@ func WithOrigin(fallBackToHttps bool, http1Header, http2Header string, instanceH
 				r,
 				fallBackToHttps,
 				// to make sure we don't break existing configurations we append the existing checked headers as well
-				slices.Compact(append(instanceHostHeaders, http1Header, http2Header, http_util.Forwarded, http_util.ForwardedFor, http_util.ForwardedHost, http_util.ForwardedProto)),
+				slices.Compact(append(instanceHostHeaders, http1Header, http2Header, http_util.Forwarded, http_util.ZitadelForwarded, http_util.ForwardedFor, http_util.ForwardedHost, http_util.ForwardedProto)),
 				publicDomainHeaders,
 			)
 			next.ServeHTTP(w, r.WithContext(http_util.WithDomainContext(r.Context(), origin)))
@@ -52,7 +52,8 @@ func hostFromRequest(r *http.Request, headers []string) (host, proto string) {
 	for _, header := range headers {
 		switch http.CanonicalHeaderKey(header) {
 		case http.CanonicalHeaderKey(http_util.Forwarded),
-			http.CanonicalHeaderKey(http_util.ForwardedFor):
+			http.CanonicalHeaderKey(http_util.ForwardedFor),
+			http.CanonicalHeaderKey(http_util.ZitadelForwarded):
 			hostFromHeader, protoFromHeader = hostFromForwarded(r.Header.Values(header))
 		case http.CanonicalHeaderKey(http_util.ForwardedHost):
 			hostFromHeader = r.Header.Get(header)