Currently there is no way to log in except via the user login form. This not ideal for non-browser/head-less clients.
If we use the user login form we always receive a 200. For failed attempts we need to receive appropriate 40x responses based on the type of error. We want to verify the logout and the login status of the current user.
- Create a controller and corresponding routes for logging in, login status, and logging out that return meaningful HTTP status codes and messages.
- Support JSON by default. Upon installing the
serializationmodule, all serialization formats become available.
- The same flood control protection as the current login form (and equal or better test coverage), to prevent security problems.
We are intentionally not implementing this as a set of
@RestResource plugins, because:
- logging in/out is not CRUD, it's not stateless, and it's really RPC, not REST — see #164
- to avoid having to enable the REST module just for logging in, for example when using the GraphQL or Services contrib modules — see #172
Beta phase evaluation
|Issue category||Feature because actually there's no way to login from a headless app, only using the "User login form" you can login if you need a cookie session but not sure if this is the correct way or, at least, the best way.|
|Issue priority||Major because the cookie session is important in some contexts, for example because Basic auth is not possible with Views (see https://www.drupal.org/node/2076725).So, if you want to create a headless app probably you need, in some cases, a cookie session. See https://groups.drupal.org/node/473598|
|#274||2403307-274.patch||33.5 KB||Wim Leers|