From eff567ee487c976d7b1bfdb321636939eb294fd8 Mon Sep 17 00:00:00 2001
From: zadam <zadam.apps@gmail.com>
Date: Sun, 23 Apr 2023 22:22:05 +0200
Subject: [PATCH] wrong password login screen should return 401 so that it
 counts to the rate limiter, fixes #3867

---
 package-lock.json   | 4 ++--
 src/routes/login.js | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 59a3f9bd6..fc65cd991 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "trilium",
-  "version": "0.59.3",
+  "version": "0.59.4",
   "lockfileVersion": 2,
   "requires": true,
   "packages": {
     "": {
       "name": "trilium",
-      "version": "0.59.3",
+      "version": "0.59.4",
       "hasInstallScript": true,
       "license": "AGPL-3.0-only",
       "dependencies": {
diff --git a/src/routes/login.js b/src/routes/login.js
index 9dc9075e7..480ffae86 100644
--- a/src/routes/login.js
+++ b/src/routes/login.js
@@ -76,7 +76,7 @@ function login(req, res) {
         // note that logged IP address is usually meaningless since the traffic should come from a reverse proxy
         log.info(`WARNING: Wrong password from ${req.ip}, rejecting.`);
 
-        res.render('login', {
+        res.status(401).render('login', {
             failedAuth: true,
             assetPath: assetPath
         });