diff --git a/lib/api/session.rb b/lib/api/session.rb index 5bcdf93abe92cf6b5661adda46fa63a56a68fe9d..b4050160ae42facebe03ae10f0af4c7f631454cc 100644 --- a/lib/api/session.rb +++ b/lib/api/session.rb @@ -8,14 +8,13 @@ module Gitlab post "/session" do resource = User.find_for_database_authentication(email: params[:email]) - return forbidden! unless resource + return unauthorized! unless resource if resource.valid_password?(params[:password]) present resource, with: Entities::UserLogin else - forbidden! + unauthorized! end end end end - diff --git a/spec/requests/api/session_spec.rb b/spec/requests/api/session_spec.rb index 0809475be81be8934007218362894ea7e1bb2571..f251f3921acacde95418deb7b3bae3cd54256a45 100644 --- a/spec/requests/api/session_spec.rb +++ b/spec/requests/api/session_spec.rb @@ -19,7 +19,7 @@ describe Gitlab::API do context "when invalid password" do it "should return authentication error" do post api("/session"), email: user.email, password: '123' - response.status.should == 403 + response.status.should == 401 json_response['email'].should be_nil json_response['private_token'].should be_nil @@ -29,7 +29,7 @@ describe Gitlab::API do context "when empty password" do it "should return authentication error" do post api("/session"), email: user.email - response.status.should == 403 + response.status.should == 401 json_response['email'].should be_nil json_response['private_token'].should be_nil