diff --git a/server/auth/providers/email.js b/server/auth/providers/email.js index 60ed4af1..b4ef0e7e 100644 --- a/server/auth/providers/email.js +++ b/server/auth/providers/email.js @@ -53,8 +53,19 @@ router.post("email", errorHandling(), async (ctx) => { }); } - const user = - users.find((user) => team && user.teamId === team.id) || users[0]; + // If there are multiple users with this email address then give precedence + // to the one that is active on this subdomain/domain (if any) + let user = users.find((user) => team && user.teamId === team.id); + + // A user was found for the email address, but they don't belong to the team + // that this subdomain belongs to, we load their team and allow the logic to + // continue + if (!user) { + user = users[0]; + team = await Team.scope("withAuthenticationProviders").findByPk( + user.teamId + ); + } if (!team) { team = await Team.scope("withAuthenticationProviders").findByPk( diff --git a/server/auth/providers/email.test.js b/server/auth/providers/email.test.js index e305c09a..8faa273a 100644 --- a/server/auth/providers/email.test.js +++ b/server/auth/providers/email.test.js @@ -42,6 +42,27 @@ describe("email", () => { expect(mailer.signin).not.toHaveBeenCalled(); }); + it("should respond with redirect location when user is SSO enabled on another subdomain", async () => { + process.env.URL = "http://localoutline.com"; + process.env.SUBDOMAINS_ENABLED = "true"; + + const user = await buildUser(); + + await buildTeam({ + subdomain: "example", + }); + + const res = await server.post("/auth/email", { + body: { email: user.email }, + headers: { host: "example.localoutline.com" }, + }); + const body = await res.json(); + + expect(res.status).toEqual(200); + expect(body.redirect).toMatch("slack"); + expect(mailer.signin).not.toHaveBeenCalled(); + }); + it("should respond with success when user is not SSO enabled", async () => { const user = await buildGuestUser();