Differentiate manual login failures for unknown account vs invalid password

[Copilot]

Manual login currently returns the same error for both nonexistent email/username and incorrect password, which makes recovery flow ambiguous for real users. This change updates the JWT login path to return distinct failure messages for those two cases while preserving existing token/lockout behavior.

• Auth error mapping in token serializer

  • Updated MyTokenObtainPairSerializer.validate() in backend/wordgen/auth_views.py.
  • Kept super().validate(...) as the primary auth path, then mapped failed auth outcomes into:
    • No account found for this email/username.
    • Incorrect password.
  • Applied lookup for both username and email login inputs.

• Focused auth tests

  • Extended AuthTokenTest in backend/wordgen/tests.py to assert message-level behavior for:
    • wrong password on existing user
    • nonexistent username
    • nonexistent email

• Behavioral example

  # POST /api/user/token/
  {"username": "missing-user", "password": "StrongPass1!"}
  # -> 401 {"detail": "No account found for this email/username."}
  
  {"username": "authuser", "password": "wrong"}
  # -> 401 {"detail": "Incorrect password."}

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• api.pwnedpasswords.com
  • Triggering command: /usr/bin/python python manage.py test --verbosity=1 (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
pii-casso	Ready	Preview, Comment	May 12, 2026 8:34pm