From cc4e39b88bdc7dc18a630bade74809915a1f871d Mon Sep 17 00:00:00 2001
From: evazion <noizave@gmail.com>
Date: Mon, 7 Oct 2019 22:27:38 -0500
Subject: [PATCH] sessions: raise exception on failed login attempts.

* Allow both xml and json authentication in sessions controller.

* Raise an exception if a login attempt fails so that a) we return a
  proper error for json/xml requests and b) failed login attempts get
  reported to NewRelic (for monitoring abuse).
---
 app/controllers/application_controller.rb |  2 +-
 app/controllers/sessions_controller.rb    | 13 +++----------
 2 files changed, 4 insertions(+), 11 deletions(-)

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index e1d504215..b1359ffc2 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -51,7 +51,7 @@ class ApplicationController < ActionController::Base
     when ActionController::BadRequest
       render_error_page(400, exception)
     when SessionLoader::AuthenticationFailure
-      render_error_page(401, exception)
+      render_error_page(401, exception, template: "sessions/new")
     when ActionController::InvalidAuthenticityToken, ActionController::UnpermittedParameters, ActionController::InvalidCrossOriginRequest
       render_error_page(403, exception)
     when User::PrivilegeError
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index 7146807a0..807cf2c37 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -1,6 +1,6 @@
 class SessionsController < ApplicationController
   respond_to :html, :json
-  skip_forgery_protection only: :create, if: -> { request.format.json? }
+  skip_forgery_protection only: :create, if: -> { !request.format.html? }
 
   def new
     @user = User.new
@@ -14,15 +14,8 @@ class SessionsController < ApplicationController
       url = posts_path if url.nil?
       respond_with(session_creator.user, location: url, methods: [:api_token])
     else
-      respond_with("password was incorrect", location: new_session_path) do |fmt|
-        fmt.json do
-          render json: { error: true, message: "password was incorrect"}.to_json, status: 401
-        end
-
-        fmt.html do
-          flash[:notice] = "Password was incorrect"
-        end
-      end
+      flash.now[:notice] = "Password was incorrect"
+      raise SessionLoader::AuthenticationFailure
     end
   end