frontend/src/app/core/interceptors/server-origin.interceptor.ts

@@ -5,6 +5,12 @@ import {
   resolveRequestOrigin,
 } from '../../../core/request-origin';
 
+const FORWARDED_REQUEST_HEADERS = [
+  'authorization',
+  'cookie',
+  'accept-language',
+] as const;
+
 function isAbsoluteUrl(url: string): boolean {
   return /^[a-z][a-z\d+\-.]*:/i.test(url) || url.startsWith('//');
 }
@@ -14,6 +20,20 @@ function normalizeRelativePath(url: string): string {
   return withoutDot.startsWith('/') ? withoutDot : `/${withoutDot}`;
 }
 
+function readRequestHeader(
+  request: RequestLike | null,
+  name: (typeof FORWARDED_REQUEST_HEADERS)[number],
+): string | null {
+  const normalizedName = name.toLowerCase();
+  const headerValue =
+    request?.headers?.[normalizedName] ?? request?.get?.(normalizedName);
+  if (Array.isArray(headerValue)) {
+    return headerValue[0] ?? null;
+  }
+
+  return typeof headerValue === 'string' ? headerValue : null;
+}
+
 export const serverOriginInterceptor: HttpInterceptorFn = (req, next) => {
   if (isAbsoluteUrl(req.url)) {
     return next(req);
@@ -26,5 +46,24 @@ export const serverOriginInterceptor: HttpInterceptorFn = (req, next) => {
   }
 
   const absoluteUrl = `${origin}${normalizeRelativePath(req.url)}`;
-  return next(req.clone({ url: absoluteUrl }));
+  const forwardedHeaders = FORWARDED_REQUEST_HEADERS.reduce<
+    Record<string, string>
+  >((headers, name) => {
+    if (req.headers.has(name)) {
+      return headers;
+    }
+
+    const value = readRequestHeader(request, name);
+    if (value) {
+      headers[name] = value;
+    }
+    return headers;
+  }, {});
+
+  return next(
+    req.clone({
+      url: absoluteUrl,
+      setHeaders: forwardedHeaders,
+    }),
+  );
 };