fix: E-mail signin on incorrect subdomain should allow the process to continue instead of error

closes #2276

server/auth/providers/email.js

@@ -53,8 +53,19 @@ router.post("email", errorHandling(), async (ctx) => {
       });
     }
 
-    const user =
-      users.find((user) => team && user.teamId === team.id) || users[0];
+    // If there are multiple users with this email address then give precedence
+    // to the one that is active on this subdomain/domain (if any)
+    let user = users.find((user) => team && user.teamId === team.id);
+
+    // A user was found for the email address, but they don't belong to the team
+    // that this subdomain belongs to, we load their team and allow the logic to
+    // continue
+    if (!user) {
+      user = users[0];
+      team = await Team.scope("withAuthenticationProviders").findByPk(
+        user.teamId
+      );
+    }
 
     if (!team) {
       team = await Team.scope("withAuthenticationProviders").findByPk(

server/auth/providers/email.test.js

@@ -42,6 +42,27 @@ describe("email", () => {
     expect(mailer.signin).not.toHaveBeenCalled();
   });
 
+  it("should respond with redirect location when user is SSO enabled on another subdomain", async () => {
+    process.env.URL = "http://localoutline.com";
+    process.env.SUBDOMAINS_ENABLED = "true";
+
+    const user = await buildUser();
+
+    await buildTeam({
+      subdomain: "example",
+    });
+
+    const res = await server.post("/auth/email", {
+      body: { email: user.email },
+      headers: { host: "example.localoutline.com" },
+    });
+    const body = await res.json();
+
+    expect(res.status).toEqual(200);
+    expect(body.redirect).toMatch("slack");
+    expect(mailer.signin).not.toHaveBeenCalled();
+  });
+
   it("should respond with success when user is not SSO enabled", async () => {
     const user = await buildGuestUser();