From c289f972b114c97c93c74f2ed1259a6f2e5543c8 Mon Sep 17 00:00:00 2001
From: Patrick Pimentel <ppimentel@bitwarden.com>
Date: Mon, 2 Feb 2026 16:55:54 -0500
Subject: [PATCH] fix(redirect): [PM-30810] Https Redirection for Cloud Users -
 Removed local check so the mobile client can govern the scheme used.

---
 .../DuoUniversalTokenService.cs               | 25 ++-----------------
 1 file changed, 2 insertions(+), 23 deletions(-)

diff --git a/src/Core/Auth/Identity/TokenProviders/DuoUniversalTokenService.cs b/src/Core/Auth/Identity/TokenProviders/DuoUniversalTokenService.cs
index 2604efbcf2..08e13df853 100644
--- a/src/Core/Auth/Identity/TokenProviders/DuoUniversalTokenService.cs
+++ b/src/Core/Auth/Identity/TokenProviders/DuoUniversalTokenService.cs
@@ -174,20 +174,6 @@ public class DuoUniversalTokenService(
                normalizedHost.EndsWith("bitwarden.pw");
     }
 
-    private static bool IsLocalRequestHost(string host)
-    {
-        if (string.IsNullOrWhiteSpace(host))
-        {
-            return false;
-        }
-
-        var normalizedHost = host.ToLowerInvariant();
-        return normalizedHost == "localhost" ||
-               normalizedHost == "127.0.0.1" ||
-               normalizedHost == "::1" ||
-               normalizedHost.EndsWith(".localhost");
-    }
-
     private static DuoDeeplinkScheme? GetDeeplinkSchemeOverride(HttpContext httpContext)
     {
         if (httpContext == null)
@@ -195,16 +181,9 @@ public class DuoUniversalTokenService(
             return null;
         }
 
-        var host = httpContext.Request?.Host.Host;
-        // Only allow overrides when developing/testing locally to avoid abuse in production
-        if (!IsLocalRequestHost(host))
-        {
-            return null;
-        }
-
         // Querystring has precedence over header for manual local testing
-        var overrideFromQuery = httpContext.Request?.Query["deeplinkScheme"].FirstOrDefault();
-        var overrideFromHeader = httpContext.Request?.Headers["Bitwarden-Deeplink-Scheme"].FirstOrDefault();
+        var overrideFromQuery = httpContext.Request.Query["deeplinkScheme"].FirstOrDefault();
+        var overrideFromHeader = httpContext.Request.Headers["Bitwarden-Deeplink-Scheme"].FirstOrDefault();
         var candidate = (overrideFromQuery ?? overrideFromHeader)?.Trim();
 
         // Allow only the two supported values