[org] Disallow logins with organizational Git Auth (#16874)

Author: AlexTugarev

components/server/src/auth/auth-provider-service.ts

@@ -59,6 +59,7 @@ export class AuthProviderService {
             host: oap.host.toLowerCase(),
             verified: oap.status === "verified",
             builtin: false,
+            disallowLogin: !!oap.organizationId,
             // hiddenOnDashboard: true, // i.e. show only if it's used
             loginContextMatcher: `https://${oap.host}/`,
             oauth: {

components/server/src/auth/authenticator.ts

@@ -110,6 +110,15 @@ export class Authenticator {
             res.redirect(this.getSorryUrl(`Bad request: missing parameters.`));
             return;
         }
+        // Logins with organizational Git Auth is not permitted
+        if (authProvider.info.organizationId) {
+            log.info({ sessionId: req.sessionID }, `Login with "${host}" is not permitted.`, {
+                "authorize-flow": true,
+                ap: authProvider.info,
+            });
+            res.redirect(this.getSorryUrl(`Login with "${host}" is not permitted.`));
+            return;
+        }
         if (this.config.disableDynamicAuthProviderLogin && !authProvider.params.builtin) {
             log.info({ sessionId: req.sessionID }, `Auth Provider is not allowed.`, { ap: authProvider.info });
             res.redirect(this.getSorryUrl(`Login with ${authProvider.params.host} is not allowed.`));