fix: settings should persist return_to after required mfa login flow

[Benehiko]

Related issue(s)

fixes ory/network#222
fixes #2832

This PR fixes the incorrect behavior after completing the required login (MFA) required by the settings flow. Users would incorrectly be redirected to the /welcome page or default UI route after submitting a successful MFA credential instead of being redirected back to the original settings flow.

possible breaking change
Observed through the E2E tests, if the host from which the request to Kratos is proxied and the serve.public.base_url is set to point to the proxy URL, then Kratos will use the current host which is the Kratos URL. MFA required flows such as settings will attempt to redirect back to the Kratos Host instead of the proxy URL which is not automatically on the allow list for browser redirects - especially since our serve.public.base_url now points to the proxy URL instead of Kratos. This will cause the flow to fail and the user to be redirected to the /error page.

To avoid this, allow the proxy to forward the host through the X-Forwarded-Host header. Kratos will then correctly redirect back.

Before Merge:

• Merge fix for UI fix: settings flow redirecting to mfa should continue with settings flow kratos-selfservice-ui-node#256
• Merge fix for React UI feat: ui should respect settings return-to kratos-selfservice-ui-react-nextjs#58
• Merge fix for UI fix: users should return to previous screen on mfa required kratos-selfservice-ui-node#262
• Add more E2E tests
  • navigate to settings immediately after password login with MFA required Identity. We have such a test here https://github.com/ory/kratos/blob/master/test/e2e/cypress/integration/profiles/mfa/totp.spec.ts#L48

Checklist

• I have read the contributing guidelines.
• I have referenced an issue containing the design document if my change
  introduces a new feature.
• I am following the
  contributing code guidelines.
• I have read the security policy.
• I confirm that this pull request does not address a security
  vulnerability. If this pull request addresses a security vulnerability, I
  confirm that I got the approval (please contact
  security@ory.sh) from the maintainers to push
  the changes.
• I have added tests that prove my fix is effective or that my feature
  works.
• I have added or changed the documentation.

Further Comments

[codecov]

Codecov Report

Merging #3263 (001c01a) into master (f884dfb) will increase coverage by 0.02%.
The diff coverage is 100.00%.

❗ Current head 001c01a differs from pull request most recent head 0d7d373. Consider uploading reports for the commit 0d7d373 to get more accurate results

@@            Coverage Diff             @@
##           master    #3263      +/-   ##
==========================================
+ Coverage   77.82%   77.84%   +0.02%     
==========================================
  Files         325      325              
  Lines       21086    21100      +14     
==========================================
+ Hits        16410    16426      +16     
+ Misses       3446     3444       -2     
  Partials     1230     1230              

Impacted Files	Coverage Δ
identity/handler.go	86.20% <ø> (ø)
selfservice/flow/login/handler.go	79.38% <ø> (ø)
selfservice/strategy/code/strategy_recovery.go	70.56% <ø> (ø)
session/manager.go	100.00% <ø> (ø)
selfservice/flow/login/hook.go	86.71% <100.00%> (+0.09%)	⬆️
selfservice/flow/settings/error.go	77.67% <100.00%> (-0.20%)	⬇️
selfservice/flow/settings/handler.go	69.56% <100.00%> (+1.17%)	⬆️
session/manager_http.go	78.97% <100.00%> (+0.89%)	⬆️

... and 1 file with indirect coverage changes

[aeneasr]

Nice! Just some comments

[aeneasr]

LGTM