What’s the appropriate HTTP status code to return if a user tries logging in with an incorrect username / password, but correct format?

by

If you are strictly using the HTTP authentication framework provided by RFC 7235 for your REST API, the correct HTTP code would actually be 401. From the RFC:

The 401 (Unauthorized) status code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource. The server generating a 401 response MUST send a WWW-Authenticate header field (Section 4.1) containing at least one challenge applicable to the target resource.

If the request included authentication credentials, then the 401 response indicates that authorization has been refused for those credentials. The user agent MAY repeat the request with a new or replaced Authorization header field (Section 4.2).

Your REST API should employ an authentication scheme of some sort in order to return a valid 401 response to your client.

Another pertinent section from RFC 7235, page 4:

Upon receipt of a request for a protected resource that omits
credentials, contains invalid credentials (e.g., a bad password) or
partial credentials (e.g., when the authentication scheme requires
more than one round trip), an origin server SHOULD send a 401
(Unauthorized) response that contains a WWW-Authenticate header field
with at least one (possibly new) challenge applicable to the
requested resource.

A higher-level response, such as a rendered login page for a visual user (redirected from a protected resource via 302), would be better served with the 200 status code (per @KernelDeimos’ answer, for example). Since login pages are typically their own resource (e.g. /login?redirect=original-resource), the unauthenticated user is still authorized to see this page, even if they provide an incorrect username/password. Then, you redirect the authenticated user back to the resource, at which point would show 200 if allowed, or 403 if the user is forbidden to view the resource.

The area where 401 could come into play with a visual login page is a front-end library that leverages the REST API using XHR requests, then relay the 401 response from the REST API back into a meaningful format on the login page.

More Related Contents:

  1. What’s an appropriate HTTP status code to return by a REST API service for a validation failure?
  2. Token Authentication for RESTful API: should the token be periodically changed?
  3. RESTful Authentication
  4. What is the best Java email address validation method? [closed]
  5. How to let validation depend on the pressed button?
  6. 400 vs 422 response to POST of data
  7. How to perform validation in JSF, how to create a custom validator in JSF
  8. JAX-RS — How to return JSON and HTTP status code together?
  9. Force JSF to process, validate and update readonly/disabled input components anyway
  10. HTTP response code for POST when resource already exists
  11. What Firebase rule will prevent duplicates in a collection based on other fields?
  12. How can I manually set an Angular form field as invalid?
  13. How to check whether a file is valid UTF-8?
  14. AngularJS: integrating with server-side validation
  15. How to force MVC to Validate IValidatableObject
  16. Custom model validation of dependent properties using Data Annotations
  17. Found an unexpected Mach-O header code: 0x72613c21 in Xcode 7
  18. Change the default message “Validation Error: Value is required” to just “Value is required”
  19. Django REST Framework serializer field required=false
  20. What characters should be restricted from a Unix file name?
  21. How to display dialog only on complete of a successful form submit
  22. Using validator with a variable attribute in ui:repeat
  23. Disable validation of HTML form elements
  24. Order of Serializer Validation in Django REST Framework
  25. How to customize JSF validation error message
  26. Angular 2 form validations start date
  27. Response status code for searches in REST APIs
  28. RESTful frameworks for Android, iOS…?
  29. Keep open when validation has failed
  30. Validate order of items inside ui:repeat

Leave a Comment