PM-26577: Support multiple schemes for Duo, WebAuthn, and SSO callbacks

[david-livefront]

🎟️ Tracking

PM-26577

📔 Objective

This PR updates the Duo and WebAuthn logic to send the appropriate deeplink scheme data.

Note: This PR is on hold until the WebConnector logic is updated.

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[david-livefront]

This parent param is required by the WebAuthn Connector but it does not really use the value.

I have an open question about what I should be sending here.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 85.89%. Comparing base (5bd15a8) to head (bb33db6).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6339      +/-   ##
==========================================
+ Coverage   85.73%   85.89%   +0.16%     
==========================================
  Files         932      801     -131     
  Lines       59454    57092    -2362     
  Branches     8367     8309      -58     
==========================================
- Hits        50971    49038    -1933     
+ Misses       5574     5171     -403     
+ Partials     2909     2883      -26     

Flag	Coverage Δ
app-data	17.60% <100.00%> (-0.23%)	⬇️
app-ui-auth-tools	20.82% <30.00%> (-0.34%)	⬇️
app-ui-platform	15.01% <0.00%> (-0.66%)	⬇️
app-ui-vault	25.85% <0.00%> (-0.67%)	⬇️
authenticator	6.61% <0.00%> (-0.01%)	⬇️
lib-core-network-bridge	4.27% <0.00%> (-0.01%)	⬇️
lib-data-ui	0.93% <10.00%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[github-actions]

Checkmarx One – Scan Summary & Details – 0319e43d-3ecf-4f86-abef-2d9d0b2ab80d

Great job! No new security vulnerabilities introduced in this pull request

[claude]

Claude finished @david-livefront's task in 4m 20s —— View job

---

Code Review Summary

PR: PM-26577: Support multiple schemes for Duo, WebAuthn, and SSO callbacks

Overview

This PR activates HTTPS app links for Duo, WebAuthn, and SSO authentication callbacks on known environments (US, EU, Internal), replacing the bitwarden:// custom URI scheme with https:// scheme. Self-hosted environments continue to use the custom scheme. This is a security improvement -- HTTPS app links with autoVerify="true" are resistant to scheme hijacking compared to custom URI schemes.

Changes Reviewed

File	Change
AndroidManifest.xml	Added bitwarden.pw host for Internal environment app link verification
EnvironmentUrlDataJsonExtensions.kt (app)	Switched US/EU/Internal from CustomScheme to HttpsScheme with correct host/path mappings
EnvironmentUrlDataJsonExtensions.kt (data)	Returns "https" for US/EU/Internal appLinksScheme
AuthRepositoryTest.kt	Updated DEEPLINK_SCHEME from "bitwarden" to "https"
EnvironmentUrlDataJsonExtensionsTest.kt (app)	Updated all assertions to use HttpsScheme with correct hosts
EnvironmentUrlsDataJsonExtensionsTest.kt (data)	Updated expected scheme to "https" for US/EU/Internal
EnterpriseSignOnViewModelTest.kt	Updated SSO AuthTabData expectations
TwoFactorLoginViewModelTest.kt	Updated Duo and WebAuthn AuthTabData expectations

Findings

✅ No new issues found in this PR's changed code.

Category	Status
Security	HTTPS app links improve security over custom URI schemes
Correctness	Environment-to-host mapping is correct (US=bitwarden.com, EU=bitwarden.eu, Internal=bitwarden.pw)
Manifest	Intent filter with autoVerify="true" correctly lists all three hosts and path patterns
Backward Compat	Self-hosted environments retain bitwarden:// custom scheme -- no breaking change
Test Coverage	All environment types and callback kinds (duo, webauthn, sso) covered; Codecov confirms 100% on modified lines
Model correctness	HttpsScheme.callbackUrl computes as "https://$host/$path" (e.g., https://bitwarden.com/duo-callback)
TODO cleanup	All // TODO: PM-26577 comments properly removed

Pre-existing Issue (not in this PR's diff)

⚠️ IntentManagerImpl.kt line 97 on main still contains "\\${authTabData.path}" which produces a backslash-prefixed path (e.g., \duo-callback instead of /duo-callback). This was introduced in PM-31953 and has an existing unresolved thread on this PR.

This matters for this PR because it activates the HttpsScheme code path for US/EU/Internal environments for the first time. On devices that support AuthTab, AuthTabIntent.launch() will receive \duo-callback instead of /duo-callback, which may break authentication redirect verification. The fix is to change "\\" to "/" in IntentManagerImpl.kt:97. This should be addressed before or alongside merging.

---

Reviewed by Claude Code -- Re-review after rebase onto main (bb33db6). No issues in the PR diff itself.

[claude]

❌ CRITICAL: The path parameter uses a backslash (\\) instead of a forward slash (/). In Kotlin, "\\${authTabData.path}" produces \duo-callback (with a literal backslash), but URL paths require forward slashes.

This will cause the AuthTab to register callbacks with malformed paths like \duo-callback instead of /duo-callback, breaking authentication redirect verification for Duo, WebAuthn, and SSO flows when using HTTPS app links on devices that support AuthTab.

Suggested change

	.launch(launcher, uri, authTabData.host, "\\${authTabData.path}")
	.launch(launcher, uri, authTabData.host, "/${authTabData.path}")

[david-livefront]

@claude This has been addressed

[claude]

Claude finished @david-livefront's task in 1m 0s —— View job

---

Verification Status

• Verify the backslash issue has been fixed in IntentManagerImpl.kt

Thanks for the update! However, I'm still seeing the backslash in the current code at IntentManagerImpl.kt:97:

.launch(launcher, uri, authTabData.host, "\\${authTabData.path}")

The current commit on the PR branch is 64c8a7e and still contains "\\${authTabData.path}".

If you've committed a fix locally, it may not have been pushed yet. The path should use a forward slash:

.launch(launcher, uri, authTabData.host, "/${authTabData.path}")

Let me know if you'd like me to make this fix, or if there's a pending push I should wait for!