From 44b7f749c5b31e4b7c8d54f04a3274f85d7b1385 Mon Sep 17 00:00:00 2001
From: Solomon <abcpro11051@disroot.org>
Date: Mon, 24 Nov 2025 14:04:46 +0000
Subject: [PATCH] Allow auth redirect to non-localhost (#1346)

Allow non-localhost clients to complete OAuth.
---
 crates/remote/src/auth/handoff.rs | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/crates/remote/src/auth/handoff.rs b/crates/remote/src/auth/handoff.rs
index dcfbcca9..c5f5000a 100644
--- a/crates/remote/src/auth/handoff.rs
+++ b/crates/remote/src/auth/handoff.rs
@@ -464,12 +464,19 @@ fn is_allowed_return_to(url: &Url, public_origin: &str) -> bool {
         return true;
     }
 
-    url.scheme() == "https"
+    if url.scheme() == "https"
         && Url::parse(public_origin).ok().is_some_and(|public_url| {
             public_url.scheme() == "https"
                 && public_url.host_str().is_some()
                 && url.host_str() == public_url.host_str()
         })
+    {
+        return true;
+    }
+
+    // Log and allow web-hosted clients. Rely on PKCE for security.
+    tracing::info!(%url, "allowing external redirect URL");
+    true
 }
 
 fn hash_sha256_hex(input: &str) -> String {