wrong password login screen should return 401 so that it counts to the rate limiter, fixes #3867

src/routes/login.js

@@ -76,7 +76,7 @@ function login(req, res) {
         // note that logged IP address is usually meaningless since the traffic should come from a reverse proxy
         log.info(`WARNING: Wrong password from ${req.ip}, rejecting.`);
 
-        res.render('login', {
+        res.status(401).render('login', {
             failedAuth: true,
             assetPath: assetPath
         });