Failed login returns 200 Ok

I’m doing a POST to /session.json with the payload

  "login": "skroob",
  "password": "12345",
  "authenticity_token": "..."

When login succeeds, the status is 200 and the JSON returned is a bunch of user data. When login fails, the JSON returned looks like

{"error": "Incorrect username, email or password"}

but the status is still 200. Is this a bug? Should the status for a failed login be something >= 400, to indicate a failure?

1 Like


Maybe. I would probably go for 401.

But those are also HTTP status codes, for HTTP client connections; I think that nuance leads to decisions like returning a 200 (“your POST was successful, here is the feedback”).

Not sure, myself. :slight_smile:

1 Like
1 Like

I can see the rationale for a 200 on a failed login meaning that your login failed successfully, instead of failing unsuccessfully. :upside_down_face:


Keep in mind this is also a bit of a “feature” in that it confuses bots that are trying to log in.

I am mixed on changing this. Maybe…


I’m not asking for a change. What I wanted was disjunctive: a change OR confirmation that the behavior is intentional—which I have now. Thanks!