From e9046fc553b35e987a729efe68c7dbc221df2376 Mon Sep 17 00:00:00 2001
From: Kegan Dougal <kegan@matrix.org>
Date: Thu, 9 Jul 2020 17:55:03 +0100
Subject: [PATCH] 403 not 401 on wrong user/pass

---
 clientapi/auth/password.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/clientapi/auth/password.go b/clientapi/auth/password.go
index 9d66d5812..f48149252 100644
--- a/clientapi/auth/password.go
+++ b/clientapi/auth/password.go
@@ -67,7 +67,7 @@ func (t *LoginTypePassword) Login(ctx context.Context, req interface{}) (*Login,
 		// Technically we could tell them if the user does not exist by checking if err == sql.ErrNoRows
 		// but that would leak the existence of the user.
 		return nil, &util.JSONResponse{
-			Code: http.StatusUnauthorized,
+			Code: http.StatusForbidden,
 			JSON: jsonerror.Forbidden("username or password was incorrect, or the account does not exist"),
 		}
 	}