Return 401 status code with invalid login flow

[linkvt]

Breaking change

I don't have the complete view about all HA components and their connections, but I don't see this as breaking.

Proposed change

Login requests with invalid credentials are currently returned with HTTP status code 200. I propose to return the IMO more correct status code 401 Unauthorized on all invalid logins.

This allows the user e.g. to block requests with fail2ban on a network level after too many (=user defined) failed login requests.

Type of change

• [ ] Dependency upgrade
• [x] Bugfix (non-breaking change which fixes an issue)
• [ ] New integration (thank you!)
• [ ] New feature (which adds functionality to an existing integration)
• [ ] Deprecation (breaking change to happen in the future)
• [ ] Breaking change (fix/feature causing existing functionality to break)
• [ ] Code quality improvements to existing code or addition of tests

Additional information

• This PR fixes or closes issue: fixes #79284
• This PR is related to issue:
• Link to documentation pull request:

Checklist

• [x] The code change is tested and works locally.
• [x] Local tests pass. Your PR cannot be merged unless tests pass
  • auth tests and others pass, unrelated tests fail (tts, plex)
• [x] There is no commented out code in this PR.
• [x] I have followed the development checklist
• [x] The code has been formatted using Black (black --fast homeassistant tests)
• [x] Tests have been added to verify that the new code works.

If user exposed functionality or configuration variables are added/changed:

• [ ] Documentation added/updated for www.home-assistant.io

If the code communicates with devices, web services, or third-party tools:

• [ ] The manifest file has all fields filled out correctly.
  Updated and included derived files by running: python3 -m script.hassfest.
• [ ] New or updated dependencies have been added to requirements_all.txt.
  Updated by running python3 -m script.gen_requirements_all.
• [ ] For the updated dependencies - a link to the changelog, or at minimum a diff between library versions is added to the PR description.
• [ ] Untested files have been added to .coveragerc.

The integration reached or maintains the following Integration Quality Scale:

• [ ] No score or internal
• [ ] 🥈 Silver
• [ ] 🥇 Gold
• [ ] 🏆 Platinum

To help with the load of incoming pull requests:

• [x] I have reviewed two other open pull requests in this repository. - WIP 😀

[homeassistant]

Hi linkvt

It seems you haven't yet signed a CLA. Please do so here.

Once you do that we will be able to review and accept this pull request.

Thanks!

[homeassistant]

Hey there @home-assistant/core, mind taking a look at this pull request as it has been labeled with an integration (auth) you are listed as a code owner for? Thanks!

[balloob]

You will need to validate that this still works with the frontend.

[linkvt]

Thanks for the review, I will make it a draft again and update the PR as soon as I was able to test it!

[linkvt]

Hello @balloob or fellow reviewers :)

sorry for the long silence in this PR, I finally found some time, updated the PR and tested it with the frontend by running the "Run Home Assistant Core" task from the vscode DEV container.

Below screenshots of the response on:

Current dev branch, bad login (correct credentials obv. worked before)

My branch, correct login

My branch, bad credentials - showing the expected behaviour (401 and bad login message)

Best! Vincent

[github-actions[bot]]

There hasn't been any activity on this pull request recently. This pull request has been automatically marked as stale because of that and will be closed if no further activity occurs within 7 days. Thank you for your contributions.