diff --git a/core/modules/rest/src/Plugin/rest/resource/UserLoginResource.php b/core/modules/rest/src/Plugin/rest/resource/UserLoginResource.php
index a52c807..68ee9f7 100644
--- a/core/modules/rest/src/Plugin/rest/resource/UserLoginResource.php
+++ b/core/modules/rest/src/Plugin/rest/resource/UserLoginResource.php
@@ -1,13 +1,7 @@
 <?php
 
-/**
- * @file
- * Contains Drupal\rest\Plugin\rest\resource\UserLoginResource.
- */
-
 namespace Drupal\rest\Plugin\rest\resource;
 
-use Drupal\Component\Utility\Html;
 use Drupal\Core\Config\ConfigFactoryInterface;
 use Drupal\Core\Flood\FloodInterface;
 use Drupal\rest\ResourceResponse;
@@ -19,7 +13,7 @@
 use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
 
 /**
- * Allows user logins by setting session cookies.
+ * Allows user logs in by setting session cookies.
  *
  * @RestResource(
  *   id = "user_login",
@@ -36,7 +30,9 @@ class UserLoginResource extends ResourceBase {
   protected $configFactory;
 
   /**
-   * @var \Drupal\Core\Config\ImmutableConfig
+   * The flood control mechanism.
+   *
+   * @var \Drupal\Core\Flood\FloodInterface
    */
   protected $flood;
 
@@ -50,12 +46,12 @@ class UserLoginResource extends ResourceBase {
   /**
    * A logger instance.
    *
-   * @var \Drupal\Core\Logger\LoggerChannelInterface
+   * @var \Psr\Log\LoggerInterface
    */
   protected $logger;
 
   /**
-   * Constructs a new RestPermissions instance.
+   * Constructs a new UserLoginResource object.
    *
    * @param array $configuration
    *   A configuration array containing information about the plugin instance.
@@ -65,7 +61,7 @@ class UserLoginResource extends ResourceBase {
    *   The plugin implementation definition.
    * @param array $serializer_formats
    *   The available serialization formats.
-   * @param LoggerInterface $logger
+   * @param \Psr\Log\LoggerInterface $logger
    *   A logger instance.
    * @param \Drupal\Core\Config\ConfigFactoryInterface $config_factory
    *   The config factory.
@@ -73,7 +69,6 @@ class UserLoginResource extends ResourceBase {
    *   The flood control mechanism.
    * @param \Drupal\user\UserStorageInterface $user_storage
    *   The user storage.
-   *
    */
   public function __construct(array $configuration, $plugin_id, $plugin_definition, array $serializer_formats, LoggerInterface $logger, ConfigFactoryInterface $config_factory, FloodInterface $flood, UserStorageInterface $user_storage) {
     parent::__construct($configuration, $plugin_id, $plugin_definition, $serializer_formats, $logger, $flood);
@@ -100,30 +95,30 @@ public static function create(ContainerInterface $container, array $configuratio
   }
 
   /**
-   * Responds to the user login POST requests and log in a user.
+   * Responds to the user login POST requests and logs in a user.
    *
    * @param string[] $operation
-   *   array(
+   *   [
    *     'op' => 'login', 'logout'
-   *     'credentials' => array(
+   *     'credentials' => [
    *       'name' => 'your-name',
    *       'pass' => 'your-password',
-   *     ),
-   *   )
+   *     ],
+   *   ]
    *
    *   The operation and username + pass for the login op.
    *
    * @return \Drupal\rest\ResourceResponse
    *   The HTTP response object.
    */
-  public function post(array $operation = array()) {
+  public function post(array $operation = []) {
 
     if (array_key_exists('op', $operation)) {
       switch ($operation['op']) {
 
         case 'login':
           if (!array_key_exists('credentials', $operation)) {
-            $operation['credentials'] = array();
+            $operation['credentials'] = [];
           }
           return $this->login($operation['credentials']);
 
@@ -137,8 +132,7 @@ public function post(array $operation = array()) {
           return $this->requestNewPassword($operation['reset_info']);
 
         default:
-          // TODO: do we have to escape?
-          throw new BadRequestHttpException('Unsupported op '. Html::escape($operation['op']) . '.');
+          throw new BadRequestHttpException('Unsupported op '. $operation['op'] . '.');
 
       }
     }
@@ -154,9 +148,9 @@ public function post(array $operation = array()) {
    *   The username and pass for the user.
    *
    * @return \Drupal\rest\ResourceResponse
-   *   The HTTP response object
+   *   The HTTP response object.
    */
-  protected function login(array $credentials = array()) {
+  protected function login(array $credentials = []) {
 
     if (empty($credentials)) {
       throw new BadRequestHttpException('Missing credentials.');
@@ -172,7 +166,7 @@ protected function login(array $credentials = array()) {
     }
 
     // Flood control.
-    if ($this->restFloodControl($this->configFactory->get('user.flood'), 'rest.login_cookie')) {
+    if (!$this->restFloodControl($this->configFactory->get('user.flood'), 'rest.login_cookie')) {
       throw new BadRequestHttpException('Blocked.');
     }
 
@@ -183,30 +177,49 @@ protected function login(array $credentials = array()) {
 
     // Log in the user.
     if ($uid = \Drupal::service('user.auth')->authenticate($credentials['name'], $credentials['pass'])) {
+      /** @var \Drupal\user\Entity\User $user */
       $user = User::load($uid);
       user_login_finalize($user);
-      return new ResourceResponse('You are logged in as ' . $credentials['name'] . '.', 200, array());
+
+      // Add some basics about the user's account.
+      $response_data = [
+        'current_user' => [
+          'uid' => $user->id(),
+          'roles' => $user->getRoles(),
+          'name' => $user->getAccountName(),
+        ],
+        'csrf_token' => \Drupal::csrfToken()->get('rest'),
+      ];
+
+      return new ResourceResponse($response_data, 200, []);
     }
 
     $this->flood->register('rest.login_cookie', $this->configFactory->get('user.flood')->get('user_window'));
     throw new BadRequestHttpException('Sorry, unrecognized username or password.');
   }
 
+  /**
+   * Checks if the account is authenticated.
+   *
+   * @return \Drupal\rest\ResourceResponse
+   *   The HTTP response object.
+   */
   protected function status() {
     if (\Drupal::currentUser()->isAuthenticated()) {
-      return new ResourceResponse('You are logged in.', 200, array());
+      return new ResourceResponse('You are logged in.', 200, []);
     }
-    return new ResourceResponse('You are not logged in.', 200, array());
+    return new ResourceResponse('You are not logged in.', 200, []);
   }
 
-    /**
+  /**
    * User Logout.
    *
-   * @return ResourceResponse
+   * @return \Drupal\rest\ResourceResponse
+   *   The HTTP response object.
    */
   protected function logout() {
     user_logout();
-    return new ResourceResponse('You are logged out.', 200, array());
+    return new ResourceResponse('You are logged out.', 200, []);
   }
 
   /**
@@ -223,9 +236,10 @@ protected function userIsBlocked($name) {
    * Sends the replacement login information by email.
    *
    * @param array $reset_info
+   *   Necessary data for the replacement.
    *
    * @return \Drupal\rest\ResourceResponse
-   *   The HTTP response object
+   *   The HTTP response object.
    */
   protected function requestNewPassword(array $reset_info) {
     $name = $reset_info['name'];
@@ -251,7 +265,6 @@ protected function requestNewPassword(array $reset_info) {
       throw new BadRequestHttpException("Sorry, $name is not recognized as a user name or an e-mail address.");
     }
 
-    // @TODO get the current language.
     $mail = _user_mail_notify('password_reset', $account, $reset_info['lang']);
     if (!empty($mail)) {
       $this->logger->notice('Password reset instructions mailed to %name at %email.', ['%name' => $account->getUsername(), '%email' => $account->getEmail()]);
@@ -264,13 +277,17 @@ protected function requestNewPassword(array $reset_info) {
    * Checks for flooding.
    *
    * @param \Drupal\Core\Config\ImmutableConfig $config
-   * @param $name
+   *   The flood control config object.
+   * @param string $name
+   *  The name of the event.
+   *
    * @return bool
+   *   TRUE if the user is allowed to proceed, FALSE otherwise.
    */
   protected function restFloodControl($config, $name) {
     $limit = $config->get('user_limit');
     $interval = $config->get('user_window');
-    if (!$this->flood->isAllowed($name, $limit, $interval)) {
+    if ($this->flood->isAllowed($name, $limit, $interval)) {
       return TRUE;
     }
     return FALSE;
diff --git a/core/modules/rest/src/Tests/ResourceTest.php b/core/modules/rest/src/Tests/ResourceTest.php
index 50521cb..527af9b 100644
--- a/core/modules/rest/src/Tests/ResourceTest.php
+++ b/core/modules/rest/src/Tests/ResourceTest.php
@@ -117,8 +117,10 @@ public function testUriPaths() {
     $manager = \Drupal::service('plugin.manager.rest');
 
     foreach ($manager->getDefinitions() as $resource => $definition) {
-      foreach ($definition['uri_paths'] as $key => $uri_path) {
-        $this->assertFalse(strpos($uri_path, '//'), 'The resource URI path does not have duplicate slashes.');
+      if (isset($definition['uri_paths'])) {
+        foreach ($definition['uri_paths'] as $key => $uri_path) {
+          $this->assertFalse(strpos($uri_path, '//'), 'The resource URI path does not have duplicate slashes.');
+        }
       }
     }
   }
diff --git a/core/modules/rest/src/Tests/UserLoginTest.php b/core/modules/rest/src/Tests/UserLoginTest.php
index ffe00a3..fb40dbc 100644
--- a/core/modules/rest/src/Tests/UserLoginTest.php
+++ b/core/modules/rest/src/Tests/UserLoginTest.php
@@ -1,10 +1,5 @@
 <?php
 
-/**
- * @file
- * Contains Drupal\rest\test\UserLoginTest.
- */
-
 namespace Drupal\rest\Tests;
 
 use Drupal\user\Entity\Role;
@@ -77,8 +72,9 @@ public function testLogin() {
     $this->assertResponseBody('400', '{"error":"Sorry, unrecognized username or password."}');
 
     $payload = $this->getPayload('login', $name, $pass);
-    $this->httpRequest('user_login', 'POST', json_encode($payload), 'application/json');
-    $this->assertResponseBody('200', '"You are logged in as ' . $name . '."');
+    $response = $this->httpRequest('user_login', 'POST', json_encode($payload), 'application/json');
+    $response = json_decode($response);
+    $this->assertEqual($name, $response->current_user->name, "The user name is correct.");
 
     $payload = $this->getPayload('status');
     $this->httpRequest('user_login', 'POST', json_encode($payload), 'application/json');
@@ -98,12 +94,14 @@ public function testLogin() {
    * Helper function to build the payload.
    *
    * @param string $op
-   * @param string|null $name
-   * @param string|null $pass
+   *   The operation.
+   * @param string $name
+   *   The user name.
+   * @param string $pass
+   *   The user pass.
    *
    * @return array
-   *
-   * @see UserLoginResource.php
+   *   The payload.
    */
   private function getPayload( $op, $name = NULL, $pass = NULL) {
     $result = array('op' => $op);
diff --git a/core/modules/rest/tests/src/Unit/UserLoginResourceTest.php b/core/modules/rest/tests/src/Unit/UserLoginResourceTest.php
index b3cce3f..9e6b999 100644
--- a/core/modules/rest/tests/src/Unit/UserLoginResourceTest.php
+++ b/core/modules/rest/tests/src/Unit/UserLoginResourceTest.php
@@ -1,10 +1,5 @@
 <?php
 
-/**
- * @file
- * Contains \Drupal\Tests\rest\Unit\UserLoginResourceTest.
- */
-
 namespace Drupal\Tests\rest\Unit;
 
 use Drupal\Core\DependencyInjection\ContainerBuilder;
@@ -18,12 +13,53 @@
  */
 class UserLoginResourceTest extends UnitTestCase {
 
+  /**
+   * The resource to be tested.
+   *
+   * @var \Drupal\rest\Plugin\rest\resource\UserLoginResource
+   */
   protected $testClass;
+
+  /**
+   * The flood control mechanism.
+   *
+   * @var \Drupal\Core\Flood\FloodInterface
+   */
   protected $flood;
+
+  /**
+   * A logger instance.
+   *
+   * @var \Psr\Log\LoggerInterface
+   */
   protected $logger;
+
+  /**
+   * A reflection of self::$translation.
+   *
+   * @var \ReflectionClass
+   */
   protected $reflection;
+
+  /**
+   * Config.
+   *
+   * @var \Drupal\Core\Config\Config
+   */
   protected $config;
+
+  /**
+   * The resource to be tested as a mock object.
+   *
+   * @var \PHPUnit_Framework_MockObject_MockBuilder
+   */
   protected $testClassMock;
+
+  /**
+   * The user storage.
+   *
+   * @var \Drupal\user\UserStorageInterface
+   */
   protected $userStorage;
 
   /**
@@ -76,8 +112,11 @@ protected function setUp() {
   /**
    * Gets a protected method from current class using reflection.
    *
-   * @param $method
+   * @param string $method
+   *   The requested method.
+   *
    * @return mixed
+   *   The protected method.
    */
   public function getProtectedMethod($method) {
     $method = $this->reflection->getMethod($method);