s-u
commented
4 years ago The following point should be configurable:
login.R is requested to make authentication (typically on behalf of the user entering login/pwd) by execLogin=action using session.server.auth(). If this fails a configuration authfail.page is consulted and re-directed to that page, otherwise "Authentication failed - please check your username and password." is shown (the latter is the current behavior).
(For completeness, if login.R encounters missing user or token cookies, or if the current cookie token is invalid, it will re-direct to the welcome page which is expected to request credentials.)
login_successful.R expects valid user/token cookies and if they are not valid, consult tokenfail.page configuration for a redirect or output "Invalid token, could not authenticate with the back-end" (as currently).
(For consideration: we may want to think about handling of redirects here - the URL to the page will correctly feature the redirect query string but the page itself has to know what to do with it if it wants to create further links ...)
With more details, HTML customization, various paths like bad token, no token, etc.