Report when authentication fails

[szabgab]

Currently, as I can see, if the user types in an incorrect username/password pair the default /login page will be shown again without any explanation. IMHO it would be nicer if there was a default error message about the failed authentication.

[szabgab]

And I wonder if the /login page should really return 401 when accessed directly or when the login fails or if should be 200.

[racke]

IMHO you should provide your own login page if you want to show error message to the user.
The default login page is just for testing.

[szabgab]

That's probably right, but I think it would be nice if it was there without extra work. It would certainly make it simpler to show it. (demo it)

[racke]

Actually there is support for $login_fail_message in _default_login_page. So it is probably a regression from the D1 to D2 migration.

[abeverley]

I noticed this when I was doing my updates. I was going to fix it at the time, but thought I should keep it separate from my PR. It's a simple fix:

my $login_fail_message = $dsl->request->vars->{login_failed}

should read

my $login_fail_message = $dsl->request->param('login_failed')

Which also means that this line can be removed:

$app->request->vars->{login_failed}++

I'll do a PR if it's easier, but if you just search the code for login_failed then you should see it.

[racke]

I think this should be saved into the session so it can't be tampered with.

[abeverley]

I don't think it can be tampered with, as it's a forward not a redirect. The login_failed parameter gets added after the browser has sent the request, and therefore can't be modified?