wrong password login screen should return 401 so that it counts to the rate limiter, fixes #3867

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "trilium",
-  "version": "0.59.3",
+  "version": "0.59.4",
   "lockfileVersion": 2,
   "requires": true,
   "packages": {
     "": {
       "name": "trilium",
-      "version": "0.59.3",
+      "version": "0.59.4",
       "hasInstallScript": true,
       "license": "AGPL-3.0-only",
       "dependencies": {

src/routes/login.js

@@ -76,7 +76,7 @@ function login(req, res) {
         // note that logged IP address is usually meaningless since the traffic should come from a reverse proxy
         log.info(`WARNING: Wrong password from ${req.ip}, rejecting.`);
 
-        res.render('login', {
+        res.status(401).render('login', {
             failedAuth: true,
             assetPath: assetPath
         });