From 6880715826ccb1523938b79c31c7ba8168bf0625 Mon Sep 17 00:00:00 2001
From: Chris Seymour <christopher.seymour@nanoporetech.com>
Date: Thu, 3 Sep 2015 14:31:38 +0100
Subject: [PATCH] Use a 401 status code for invalid login attempts. Fixes #384

---
 notebook/auth/login.py | 26 +++++++++++++-------------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/notebook/auth/login.py b/notebook/auth/login.py
index bf6c9a47a..759d86bc7 100644
--- a/notebook/auth/login.py
+++ b/notebook/auth/login.py
@@ -14,7 +14,7 @@ from ..base.handlers import IPythonHandler
 
 class LoginHandler(IPythonHandler):
     """The basic tornado login handler
-    
+
     authenticates with a hashed password from the configuration.
     """
     def _render(self, message=None):
@@ -32,7 +32,7 @@ class LoginHandler(IPythonHandler):
             self.redirect(next_url)
         else:
             self._render()
-    
+
     @property
     def hashed_password(self):
         return self.password_from_settings(self.settings)
@@ -41,32 +41,33 @@ class LoginHandler(IPythonHandler):
         typed_password = self.get_argument('password', default=u'')
         if self.login_available(self.settings):
             if passwd_check(self.hashed_password, typed_password):
-                # tornado <4.2 have a bug that consider secure==True as soon as 
+                # tornado <4.2 have a bug that consider secure==True as soon as
                 # 'secure' kwarg is passed to set_secure_cookie
                 if self.settings.get('secure_cookie', self.request.protocol == 'https'):
-                    kwargs = {'secure':True}
+                    kwargs = {'secure': True}
                 else:
                     kwargs = {}
                 self.set_secure_cookie(self.cookie_name, str(uuid.uuid4()), **kwargs)
             else:
+                self.set_status(401)
                 self._render(message={'error': 'Invalid password'})
                 return
-        
+
         next_url = self.get_argument('next', default=self.base_url)
         if not next_url.startswith(self.base_url):
             # require that next_url be absolute path within our path
             next_url = self.base_url
         self.redirect(next_url)
-    
+
     @classmethod
     def get_user(cls, handler):
         """Called by handlers.get_current_user for identifying the current user.
-        
+
         See tornado.web.RequestHandler.get_current_user for details.
         """
         # Can't call this get_current_user because it will collide when
         # called on LoginHandler itself.
-        
+
         user_id = handler.get_secure_cookie(handler.cookie_name)
         # For now the user_id should not return empty, but it could, eventually.
         if user_id == '':
@@ -77,12 +78,12 @@ class LoginHandler(IPythonHandler):
             if not handler.login_available:
                 user_id = 'anonymous'
         return user_id
-        
-    
+
+
     @classmethod
     def validate_security(cls, app, ssl_options=None):
         """Check the notebook application's security.
-        
+
         Show messages, or abort if necessary, based on the security configuration.
         """
         if not app.ip:
@@ -97,7 +98,7 @@ class LoginHandler(IPythonHandler):
     @classmethod
     def password_from_settings(cls, settings):
         """Return the hashed password from the tornado settings.
-        
+
         If there is no configured password, an empty string will be returned.
         """
         return settings.get('password', u'')
@@ -106,4 +107,3 @@ class LoginHandler(IPythonHandler):
     def login_available(cls, settings):
         """Whether this LoginHandler is needed - and therefore whether the login page should be displayed."""
         return bool(cls.password_from_settings(settings))
-