Skip to content

fix(auth): return HTTP 401 for invalid login credentials#282

Open
anshul23102 wants to merge 1 commit into
omkarhole:mainfrom
anshul23102:fix/issue-279-login-401
Open

fix(auth): return HTTP 401 for invalid login credentials#282
anshul23102 wants to merge 1 commit into
omkarhole:mainfrom
anshul23102:fix/issue-279-login-401

Conversation

@anshul23102
Copy link
Copy Markdown
Contributor

@anshul23102 anshul23102 commented Jun 2, 2026

Related Issue

Closes #279

Problem

The login controller returned res.json(...) with no explicit status code on both failure paths, which defaults to HTTP 200 OK:

if (!user) {
    return res.json({ loginStatus: false, Error: 'Invalid Credentials' });
}
if (!match) {
    return res.json({ loginStatus: false, Error: 'Invalid Credentials' });
}

HTTP 200 signals a successful request. Security middleware, CDN caches, analytics tools, and client interceptors that check the status code will misclassify failed logins as successes, breaking standard error-handling conventions.

Fix

Added res.status(401) to both failure returns:

return res.status(401).json({ loginStatus: false, Error: 'Invalid Credentials' });

HTTP 401 Unauthorized is the correct status for a failed authentication attempt.

Files Changed

File Change
backend/controllers/auth.controller.js Add .status(401) to both failed-login response paths

Testing

  • Valid credentials: HTTP 200, loginStatus: true.
  • Wrong password: HTTP 401, loginStatus: false.
  • Unknown email: HTTP 401, loginStatus: false.

Could you please add appropriate labels to this PR? It would help with tracking. Thank you!

@anshul23102
fix(auth): return HTTP 401 for invalid login credentials instead of 200
a7437fb 
Fixes omkarhole#279

The login controller returned res.json(...) with no status code on both
failure paths (user not found and password mismatch), which defaults to
HTTP 200 OK. Security middleware, CDN caches, and client interceptors
that inspect status codes would treat a failed login as a successful
request, breaking standard error-handling patterns.

Changed both failure returns to res.status(401).json(...) so the HTTP
status code accurately reflects the authentication outcome.
@vercel
Copy link
Copy Markdown

vercel Bot commented Jun 2, 2026

@anshul23102 is attempting to deploy a commit to the omkarhole's projects Team on Vercel.

A member of the Team first needs to authorize it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: login endpoint returns HTTP 200 for invalid credentials instead of HTTP 401

1 participant

@anshul23102