djay
commented
2 months ago The message is passed as a cookie but this might not be the preferred method. Either Volto needs to read the cookies or the restapi should convert the cookies to header or json response.
All errors result in the same generic error message which can be misleading
https://github.com/plone/plone.restapi/blob/b93e41072541ab917b70fc32e81a02dd775eff73/src/plone/restapi/services/auth/login.py#L64
The method used by most PAS Plugins is the status message. Either for information purposes or errors about why the login was not successful. The status messages should be passed via the api so the client can display them
An example of a plugin is
https://github.com/collective/Products.LoginLockout/blob/506ff80b8066e0c26acc3e9cb7c05a76e4b96787/Products/LoginLockout/plugin.py#L232