It looks like the server is returning different responses for bad username and bad password

[webbnh]

It looks like we're returning different responses for bad username and bad password (same message, but different statuses). I don't think we want the user to be able to distinguish between them.

Originally posted by @webbnh in #1937 (comment)

[webbnh]

Interestingly, Flask may be doing the something similar, although, I think they are doing the reverse: they are returning 401 for a non-existent user and 403 for unauthorized credentials, whereas we are returning 401 for a bad password and 403 for a bad username.

[npalaska]

@webbnh interesting, btw its not flask but an author of the Flask-HTTPAuth package. When I wrote that status code I followed https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/401, it says 401 is for when the request lacks valid authentication credentials (such as bad password). 403 is forbidden and re-authenticating will make no difference (because we dont have such a user)

[portante]

Based on https://stackoverflow.com/questions/32752578/whats-the-appropriate-http-status-code-to-return-if-a-user-tries-logging-in-wit, we should be always returning a 401 stating "bad user or password", but not indicating which.

403 is for a operation that is attempting to execute some action requiring access, but is denied (either because the client is not authenticated, or is authenticated but the authenticated user does not have access).