[PR #1756] [MERGED] fix: 403 http error code on failed login #3659

New Issue

GiteaMirror · 2026-03-22T14:50:25-05:00

GiteaMirror commented

2026-03-22 14:50:25 -05:00

📋 Pull Request Information

Original PR: https://github.com/go-vikunja/vikunja/pull/1756
Author: @pano9000
Created: 11/6/2025
Status: ✅ Merged
Merged: 11/6/2025
Merged by: @kolaente

Base: main ← Head: fix_HTTP-error-code-on-failed-login

📝 Commits (2)

4ce832e chore: fix copy/paste error in comment
8f7a92e fix: send 403 http.StatusForbidden for ErrWrongUsernameOrPassword

📊 Changes

1 file changed (+3 additions, -3 deletions)

View changed files

📝 pkg/user/error.go (+3 -3)

📄 Description

Hi,

this PR is doing a minor change to the error code that the API returns back for a failed login, when the wrong username or password is provided.

The swagger docs are reporting to expect a 403 error code, as mentioned here:
5987874165/pkg/routes/api/v1/login.go (L45)

However it was sending actually sending a http.StatusPreconditionFailed (so a 412 code).

With the change it should now send a http.StatusForbidden (so a 403) as documented (and it makes a bit more sense than 412 as well IMHO).

Reason I noticed it:
Was trying to set up fail2ban with a TOTP enabled account, but manually testing discovered, that even when I put in nonsense values in the first "login stage" (i.e. where you enter user + pass, BEFORE you get the TOTP field displayed), I got a 412 back, instead of a 403.

The fail2ban documentation also does not need to be updated, it already assumes 400, 403 and 412 as failure codes.

And while I was at it, I did a tiny copy/paste error correction on some comments

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/go-vikunja/vikunja/pull/1756 **Author:** [@pano9000](https://github.com/pano9000) **Created:** 11/6/2025 **Status:** ✅ Merged **Merged:** 11/6/2025 **Merged by:** [@kolaente](https://github.com/kolaente) **Base:** `main` ← **Head:** `fix_HTTP-error-code-on-failed-login` --- ### 📝 Commits (2) - [`4ce832e`](https://github.com/go-vikunja/vikunja/commit/4ce832e4ca68aa749fbd432ef1d5437baa6062dc) chore: fix copy/paste error in comment - [`8f7a92e`](https://github.com/go-vikunja/vikunja/commit/8f7a92ec1409e41946250161488f0b85ad489ea1) fix: send 403 http.StatusForbidden for ErrWrongUsernameOrPassword ### 📊 Changes **1 file changed** (+3 additions, -3 deletions) <details> <summary>View changed files</summary> 📝 `pkg/user/error.go` (+3 -3) </details> ### 📄 Description Hi, this PR is doing a minor change to the error code that the API returns back for a failed login, when the wrong username or password is provided. The swagger docs are reporting to expect a `403` error code, as mentioned here: https://github.com/go-vikunja/vikunja/blob/59878741659c3f5335acd5bdd96842c69ac0778f/pkg/routes/api/v1/login.go#L45 However it was sending actually sending a `http.StatusPreconditionFailed` (so a `412` code). With the change it should now send a `http.StatusForbidden` (so a `403`) as documented (and it makes a bit more sense than `412` as well IMHO). Reason I noticed it: Was trying to set up fail2ban with a TOTP enabled account, but manually testing discovered, that even when I put in nonsense values in the first "login stage" (i.e. where you enter user + pass, BEFORE you get the TOTP field displayed), I got a `412` back, instead of a `403`. The [fail2ban documentation](https://vikunja.io/docs/fail2ban/) also does not need to be updated, it already assumes 400, 403 and 412 as failure codes. ---- And while I was at it, I did a tiny copy/paste error correction on some comments --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2026-03-22 14:50:25 -05:00

GiteaMirror closed this issue

2026-03-22 14:50:26 -05:00

Sign in to join this conversation.

Branches Tags

main

renovate/dev-dependencies

claude/explore-quick-add-related-tasks-EDxUB

claude/analyze-beans-project-9VxoS

feat-huma-api-v2-migration

feat-v2-foundation

spike-huma-openapi3

claude/investigate-swagger3-support-nyyUa

feat-list-view-buckets

ci-mysql-8-test

codex/analyze-codebase-for-email-task-feature

feat-project-templates

csv-import-feature

claude/email-reply-comments-wpdcQ

fix-oidc-pkce-support

fix/overview-subtasks-expand

feat/bucket-select-task-detail

feat-soft-delete-projects

claude/review-bot-design-plan-cf5C3

claude/project-scoped-api-tokens-KTqR3

claude/explore-openclaw-integration-KQEzg

claude/project-scoped-api-tokens-yv5KS

fix-duplicate-close-button

feat-list-view-sorting

feat/official-vite-sentry-plugin

feat/highlight-overdue-tasks

feat/add-enter-key-form-submission-handling

feat/TipTap-nits

feat/update-caldavtimetotimestamp-parsing

feat-phosphor-icons

wip-plans

claude/investigate-issue-2173-llKme

fix-description-text-drag

feat-custom-keyboard-shortcuts

pr-1845-ci

codex/fix-drag-and-drop-behavior-inconsistency

copilot/add-clickable-labels-for-filtering

copilot/fix-issue-1786

playwright-migration

fix-kanban-repeating-wip

copilot/fix-1498

feature/replace-axios

codex/upgrade-to-tailwind-4.1.8-using-pnpm

codex/add-cypress-test-for-avatar-types

feature/biome

feature/oxc

codex/update-flexsearch-to-0.8.205

4r6ni9-codex/fix-deprecated-sass-@import-usage

codex/fix-deprecated-sass-@import-usage

codex/add-cypress-test-for-task-list-refresh-fix

codex/fix-quick-add-magic-not-adding-tasks

codex/fix-all-type-errors

codex/fix-mimetype-for-docs.json

feature/caldav-from-scratch

feature/gh-actions-hetzner

fix-ci

feat/new-logger

jyte-better-dev-config

feat/add-team-member-with-enter

fix/button-and-icon-types

fix/notifications-component-name-collision

feature/null-time

renovate/tailwindcss-4.x

feature/unplugin-vue-router

fix/deprecated-import

feature/zod-schema

renovate/golangci-golangci-lint-1.x

fix/tiptap-editor-reactive-destructuring

release/0.24

feat/improve-add-task

fix/saved-filter-search

feat/webp-and-avif-attachment-previews

feature/migrate-back-to-bulma

fix/sass-add-missing-list-import

feature/sticky-demo-bar

fix/gantt-view-switch

feature/typesense-position-join

feature/focus-visible

dependencies/golangci-lint

feature/better-filter-syntax

fix/tiptap-task-list

renovate/github.com-golang-jwt-jwt-v4-5.x

feature/hide-forbidden-related-tasks

renovate/golang-1.x

release/0.20

release/0.17

release/0.16

release/0.15

release/0.14

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/vikunja#3659