400 Bad Request if invalid username/password?

[1nfinite]

I am refering to v0.4.2 of MeanJS. It seems that 400 bad request will appear as error in console log of browser if login credentials provided is incorrect during login. Not sure if this is a bug.

[vaucouleur]

Hi,

There is indeed a 400 in v0.4.2

exports.signin = function (req, res, next) {
  passport.authenticate('local', function (err, user, info) {
    if (err || !user) {
      res.status(400).send(info);
    } else {

https://github.com/meanjs/mean/blob/master/modules/users/server/controllers/users/users.authentication.server.controller.js#L58

What http status code would you suggest ? a 403 ?

Also, authentication is currently being reworked by @trainerbill , currently the status code remains a 400:
https://github.com/meanjs/mean/pull/1163/files#diff-6586a849345903e73352845be92306cfR54

I guess this is all very arguable, and a matter of opinion:

• One could argue that the user is actually allowed to access the signin resource.. it's just that the resource replies "you are not allowed to signin" -- hence the 400 http status code.
• An other person could argue that it is the signin resource itself that this specific user was not supposed to access -- hence the 403 http status code.
• Yet another person might argue that the proper credential were not actually provided to access this resource -- hence a 401 http status code..
• Yet another person might argue that signin should just return false, and not an http status error code..
• etc..

Also for reference, this section of OAuth 2.0:

5.2. Error Response
The authorization server responds with an HTTP 400 (Bad Request)
status code (unless specified otherwise) and includes the following
parameters with the response:

http://tools.ietf.org/html/rfc6749#section-5.2

[1nfinite]

Well, I guess its of personal or company preference. Since you pointed out the location of changing the status code, I guess that it relies on the person to change the status code on its personal preference. Thanks.