feat: scope login attempts to specific subdomains if available - do not switch subdomains (#3741)

* make the user lookup in user creator sensitive to team
* add team specific logic to oidc strat
* factor out slugifyDomain
* change type of req during auth to Koa.Context

server/errors.ts

@@ -1,9 +1,8 @@
 import httpErrors from "http-errors";
-import env from "./env";
 
 export function AuthenticationError(
-  message = "Invalid authentication",
-  redirectUrl = env.URL
+  message = "Authentication required",
+  redirectUrl = "/"
 ) {
   return httpErrors(401, message, {
     redirectUrl,
@@ -11,6 +10,16 @@ export function AuthenticationError(
   });
 }
 
+export function InvalidAuthenticationError(
+  message = "Invalid authentication",
+  redirectUrl = "/"
+) {
+  return httpErrors(401, message, {
+    redirectUrl,
+    id: "invalid_authentication",
+  });
+}
+
 export function AuthorizationError(
   message = "You do not have permission to access this resource"
 ) {
@@ -112,7 +121,7 @@ export function MaximumTeamsError(
 
 export function EmailAuthenticationRequiredError(
   message = "User must authenticate with email",
-  redirectUrl = env.URL
+  redirectUrl = "/"
 ) {
   return httpErrors(400, message, {
     redirectUrl,
@@ -164,7 +173,7 @@ export function OIDCMalformedUserInfoError(
 
 export function AuthenticationProviderDisabledError(
   message = "Authentication method has been disabled by an admin",
-  redirectUrl = env.URL
+  redirectUrl = "/"
 ) {
   return httpErrors(400, message, {
     redirectUrl,