Merge branch 'next' into next-rc

# Conflicts:
#	internal/auth/repository/eventsourcing/eventstore/auth_request_test.go
#	proto/zitadel/resources/action/v3alpha/action_service.proto

internal/api/http/header.go

@@ -8,28 +8,29 @@ import (
 )
 
 const (
-	Authorization   = "authorization"
-	Accept          = "accept"
-	AcceptLanguage  = "accept-language"
-	CacheControl    = "cache-control"
-	ContentType     = "content-type"
-	ContentLength   = "content-length"
-	Expires         = "expires"
-	Location        = "location"
-	Origin          = "origin"
-	Pragma          = "pragma"
-	UserAgentHeader = "user-agent"
-	ForwardedFor    = "x-forwarded-for"
-	ForwardedHost   = "x-forwarded-host"
-	ForwardedProto  = "x-forwarded-proto"
-	Forwarded       = "forwarded"
-	XUserAgent      = "x-user-agent"
-	XGrpcWeb        = "x-grpc-web"
-	XRequestedWith  = "x-requested-with"
-	XRobotsTag      = "x-robots-tag"
-	IfNoneMatch     = "If-None-Match"
-	LastModified    = "Last-Modified"
-	Etag            = "Etag"
+	Authorization    = "authorization"
+	Accept           = "accept"
+	AcceptLanguage   = "accept-language"
+	CacheControl     = "cache-control"
+	ContentType      = "content-type"
+	ContentLength    = "content-length"
+	Expires          = "expires"
+	Location         = "location"
+	Origin           = "origin"
+	Pragma           = "pragma"
+	UserAgentHeader  = "user-agent"
+	ForwardedFor     = "x-forwarded-for"
+	ForwardedHost    = "x-forwarded-host"
+	ForwardedProto   = "x-forwarded-proto"
+	Forwarded        = "forwarded"
+	ZitadelForwarded = "x-zitadel-forwarded"
+	XUserAgent       = "x-user-agent"
+	XGrpcWeb         = "x-grpc-web"
+	XRequestedWith   = "x-requested-with"
+	XRobotsTag       = "x-robots-tag"
+	IfNoneMatch      = "If-None-Match"
+	LastModified     = "Last-Modified"
+	Etag             = "Etag"
 
 	ContentSecurityPolicy   = "content-security-policy"
 	XXSSProtection          = "x-xss-protection"

internal/api/http/middleware/origin_interceptor.go

@@ -17,7 +17,7 @@ func WithOrigin(fallBackToHttps bool, http1Header, http2Header string, instanceH
 				r,
 				fallBackToHttps,
 				// to make sure we don't break existing configurations we append the existing checked headers as well
-				slices.Compact(append(instanceHostHeaders, http1Header, http2Header, http_util.Forwarded, http_util.ForwardedFor, http_util.ForwardedHost, http_util.ForwardedProto)),
+				slices.Compact(append(instanceHostHeaders, http1Header, http2Header, http_util.Forwarded, http_util.ZitadelForwarded, http_util.ForwardedFor, http_util.ForwardedHost, http_util.ForwardedProto)),
 				publicDomainHeaders,
 			)
 			next.ServeHTTP(w, r.WithContext(http_util.WithDomainContext(r.Context(), origin)))
@@ -52,7 +52,8 @@ func hostFromRequest(r *http.Request, headers []string) (host, proto string) {
 	for _, header := range headers {
 		switch http.CanonicalHeaderKey(header) {
 		case http.CanonicalHeaderKey(http_util.Forwarded),
-			http.CanonicalHeaderKey(http_util.ForwardedFor):
+			http.CanonicalHeaderKey(http_util.ForwardedFor),
+			http.CanonicalHeaderKey(http_util.ZitadelForwarded):
 			hostFromHeader, protoFromHeader = hostFromForwarded(r.Header.Values(header))
 		case http.CanonicalHeaderKey(http_util.ForwardedHost):
 			hostFromHeader = r.Header.Get(header)

internal/auth/repository/eventsourcing/eventstore/auth_request_test.go

@@ -2604,6 +2604,7 @@ func TestAuthRequestRepo_VerifyPassword_IgnoreUnknownUsernames(t *testing.T) {
 		a.SetPolicyOrgID("instance1")
 		return a
 	}
+
 	type fields struct {
 		AuthRequests      func(*testing.T, string) cache.AuthRequestCache
 		UserViewProvider  userViewProvider

internal/integration/assert.go

@@ -109,6 +109,7 @@ func AssertResourceListDetails[D ResourceListDetailsMsg](t testing.TB, expected,
 		assert.Nil(t, gotDetails)
 		return
 	}
+
 	assert.Equal(t, wantDetails.GetTotalResult(), gotDetails.GetTotalResult())
 	assert.Equal(t, wantDetails.GetAppliedLimit(), gotDetails.GetAppliedLimit())
 

proto/zitadel/resources/action/v3alpha/action_service.proto

@@ -8,6 +8,7 @@ import "google/protobuf/duration.proto";
 import "google/protobuf/struct.proto";
 import "protoc-gen-openapiv2/options/annotations.proto";
 import "validate/validate.proto";
+
 import "zitadel/protoc_gen_zitadel/v2/options.proto";
 
 import "zitadel/resources/action/v3alpha/target.proto";