Issue

When a user with a deactivated user account attempts to log in to a Mendix application, a 401 Unauthorised HTTP response is returned with the following message:

"The username or password you entered is incorrect"

This leads to confusion, as users may believe that they entered their credentials incorrectly.

It could be argued that a 403 Forbidden HTTP response with a message resembling the following would be more appropriate in this case:

"You don't have enough permissions to access this page. You may try to log in as a different user"

This confirms that the credentials were correct, but that the user does not have access to the app.

Environment

Studio Pro

Solution/Workaround

Although a 403 response has the potential to be more helpful for certain users, it is common security practice to return the same HTTP response in all cases, so as not to give information away to potential hackers. For this reason, Mendix applications return a 401 response when credentials are incorrect, as well as when a user has been deactivated.

The type of HTTP response that is returned can therefore not be changed, but it is possible to customize the message that is returned if necessary. 

For this, follow the steps below in Studio Pro:

1. Navigate to App Explorer > App 'AppName' > System Texts

2. Change the Text field for the Item labeled Error: incorrect credentials.

Additional information 

Other documentation: HTTP 401 Unauthorized vs 403 Forbidden