I'm using the Angular Loopback SDK and am trying to implement a 401 handler that automatically detects when the user needs to authenticate. Loopback responds to a data request with a 401 and I use that to invoke a login dialog. Basically using the strategy described here -
However, if the user supplies bad credentials then Loopback issues a 401 and that invokes the 401 handler again.... How best should I differentiate between a 401 which is a genuine AUTH failure and a failed login attempt?
Why is that bad?
You should be able to trigger your login dialog over and over again from the same state if the user doesn't know how to log in multiple times, right? If you are already showing the dialog, don't trigger it again and show an inline "Login failed" message. Or use a /login route and just intercept any 401 unauthorized and send to that page.
There is also an error message payload that you could inspect that might allow different messaging, so you could show a message "session expired" instead of just "you are logged out, please login." But in general, it's better to stay generic and just gently ask for a re-login.
You could also send different codes when the backend can determine that the username/email is on the system, but that's generally a security no-no and you'd have to override loopback defaults.