sessions: raise exception on failed login attempts.

* Allow both xml and json authentication in sessions controller.

* Raise an exception if a login attempt fails so that a) we return a
  proper error for json/xml requests and b) failed login attempts get
  reported to NewRelic (for monitoring abuse).

app/controllers/application_controller.rb

@@ -51,7 +51,7 @@ class ApplicationController < ActionController::Base
     when ActionController::BadRequest
       render_error_page(400, exception)
     when SessionLoader::AuthenticationFailure
-      render_error_page(401, exception)
+      render_error_page(401, exception, template: "sessions/new")
     when ActionController::InvalidAuthenticityToken, ActionController::UnpermittedParameters, ActionController::InvalidCrossOriginRequest
       render_error_page(403, exception)
     when User::PrivilegeError

app/controllers/sessions_controller.rb

@@ -1,6 +1,6 @@
 class SessionsController < ApplicationController
   respond_to :html, :json
-  skip_forgery_protection only: :create, if: -> { request.format.json? }
+  skip_forgery_protection only: :create, if: -> { !request.format.html? }
 
   def new
     @user = User.new
@@ -14,15 +14,8 @@ class SessionsController < ApplicationController
       url = posts_path if url.nil?
       respond_with(session_creator.user, location: url, methods: [:api_token])
     else
-      respond_with("password was incorrect", location: new_session_path) do |fmt|
+      flash.now[:notice] = "Password was incorrect"
-        fmt.json do
+      raise SessionLoader::AuthenticationFailure
-          render json: { error: true, message: "password was incorrect"}.to_json, status: 401
-        end
-
-        fmt.html do
-          flash[:notice] = "Password was incorrect"
-        end
-      end
     end
   end