# HG changeset patch
# User Mads Kiilerich <mads@kiilerich.com>
# Date 2020-03-26 17:48:16
# Node ID 5b147d0f8927b889731646f9a90b79e4a26aaead
# Parent  afe30226491e162ee00795637a8eea8ced786b82

auth: show a clear "Authentication failed" message if login fails after passing form validation

log_in_user will only set a session cookie after verifying that the user is
valid (for example based on IP). The code is thus safe, but no hint were given
to the user if login failed for that reason.

diff --git a/kallithea/controllers/login.py b/kallithea/controllers/login.py
--- a/kallithea/controllers/login.py
+++ b/kallithea/controllers/login.py
@@ -103,8 +103,9 @@ class LoginController(BaseController):
                 h.flash(e, 'error')
             else:
                 auth_user = log_in_user(user, c.form_result['remember'], is_external_auth=False, ip_addr=request.ip_addr)
-                # TODO: handle auth_user is None as failed authentication?
-                raise HTTPFound(location=c.came_from)
+                if auth_user:
+                    raise HTTPFound(location=c.came_from)
+                h.flash(_('Authentication failed.'), 'error')
         else:
             # redirect if already logged in
             if not request.authuser.is_anonymous: