fix(api): properly test and document login failures

api/desecapi/tests/test_user_management.py

@@ -651,6 +651,21 @@ class NoUserAccountTestCase(UserLifeCycleTestCase):
         self.assertStatus(response, status.HTTP_400_BAD_REQUEST)
         self.assertEqual(response.data["password"][0], "This field may not be null.")
 
+    def test_no_login_with_wrong_password(self):
+        email, password = self._test_registration(password="right123")
+        response = self.client.login_user(email, "wrong123")
+        self.assertStatus(response, status.HTTP_403_FORBIDDEN)
+        self.assertEqual(response.data["detail"], "Invalid username/password.")
+
+    def test_no_login_when_inactive(self):
+        email, password = self._test_registration(password=self.random_password())
+        user = User.objects.get(email=email)
+        user.is_active = False
+        user.save()
+        response = self.client.login_user(email, password)
+        self.assertStatus(response, status.HTTP_403_FORBIDDEN)
+        self.assertEqual(response.data["detail"], "Invalid username/password.")
+
     def test_registration_spam_protection(self):
         email = self.random_username()
         self.assertRegistrationSuccessResponse(

docs/auth/account.rst

@@ -169,7 +169,7 @@ If email address and password match our records, the server will reply with
 As indicated in the response, login tokens expire 7 days after creation or
 when not used for 1 hour, whichever comes first (see :ref:`token object`).
 
-In case of credential mismatch, the server replies with ``401 Unauthorized``.
+In case of credential mismatch, the server returns ``403 Permission Denied``.
 
 **Note:** Every time you send a ``POST`` request to this endpoint, an
 additional token will be created. Existing tokens will *remain valid*.