franky47
commented
1 year ago The concept of login here is a bit different to traditional client/server interactions.
There is no interaction with the server needed to login, it's a local key derivation procedure. It has the advantage of making the system work offline, but we could add a handshake with the server to verify if the derived identity is registered (it would also double up as verifying the server has the right information).
In your example, passing an invalid main key (wrong length) should result in an immediate error in the key derivation code, I'll have to take a look at that. Though in practice entering a main key directly is a temporary thing, later on it will be hidden under an authentication strategy (password, local device, WebAuthn etc..).
Now the actual server error you see is an unauthorized error, meaning there is no account associated with the locally derived identity. This indeed needs some UI feedback on the devtools.
Note sure if this is intended or not but in devtools, login with invalid creds does not return server errors