Requests to log in (cookie auth) via /user/login?_format=json result in 403 without helpful message

First: thank you so much for taking the time to report this! ❤️ We need this kind of feedback to make API-First Drupal better!

Is this the intended behaviour?

Good question! We do have /user/login_status for checking the login status when using cookie authentication. And these are the relevant routes:

user.login.http:
  path: '/user/login'
  defaults:
    _controller: \Drupal\user\Controller\UserAuthenticationController::login
  methods: [POST]
  requirements:
    _user_is_logged_in: 'FALSE'
    _format: 'json'

+

user.logout.http:
  path: '/user/logout'
  defaults:
    _controller: \Drupal\user\Controller\UserAuthenticationController::logout
  methods: [POST]
  requirements:
    _user_is_logged_in: 'TRUE'
    _format: 'json'
    _csrf_token: 'TRUE'

Note how the values for _user_is_logged_in are each other opposite! This is why we also have /user/login_status as I said before:

user.login_status.http:
  path: '/user/login_status'
  defaults:
    _controller: \Drupal\user\Controller\UserAuthenticationController::loginStatus
  methods: [GET]
  requirements:
    _access: 'TRUE'
    _format: 'json'

So: yes.

Should we have a more informative message?

Yes! Let's do it :) Converting this issue from a support request to a task.

First: expanded test coverage to check the 403 and assert a helpful error message.

This patch should fail.

And now with the changes to add a helpful message. Patch should pass tests now.

Nice improvement. I like that this could be one day maybe even used for normal 403 sites ...

Yep :)

This is where our time investment in infrastructure/foundation work in 8.2 and 8.3 is paying off: both the test coverage and the logic change are trivial 😀✋️

BTW I also pinged @blainelang after posting #2+#3+#4 :) https://twitter.com/wimleers/status/903383065300533250

You're welcome :)

Committed/pushed to 8.5.x and cherry-picked to 8.4.x. Thanks!