Switch: Always follow PREFERRED_URL_SCHEME instead of the request scheme

When getting an _external=True URL, we shouldn't use the scheme of the
current request at all (this depends on HaProxy forwarding the correct
headers, which might fail when misconfigured) and just always use the
preferred URL scheme. This fixes it at least for the user switching,
because Blender ID will refuse to redirect back to a http:// URL.

pillar/web/users/routes.py

@@ -5,6 +5,7 @@ from flask import abort, Blueprint, redirect, render_template, request, session,
 from flask_login import login_required
 from werkzeug import exceptions as wz_exceptions
 
+from pillar import current_app
 import pillar.api.blender_cloud.subscription
 import pillar.auth
 from pillar.api.blender_cloud.subscription import update_subscription
@@ -16,6 +17,7 @@ from pillar.auth.oauth import OAuthSignIn, ProviderConfigurationMissing, Provide
 from pillar.web import system_util
 from pillarsdk import exceptions as sdk_exceptions
 from pillarsdk.users import User
+
 from . import forms
 
 log = logging.getLogger(__name__)
@@ -121,9 +123,11 @@ def switch():
 
     # Without this URL, the user will remain on the Blender ID site. We want them to come
     # back to the Cloud after switching users.
+    scheme = current_app.config.get('PREFERRED_URL_SCHEME', 'https')
     next_url_after_bid_login = url_for('users.login',
                                        next=next_url_after_cloud_login,
                                        force='yes',
+                                       _scheme=scheme,
                                        _external=True)
 
     return redirect(blender_id.switch_user_url(next_url=next_url_after_bid_login))