[5.7] Change ThrottlesLogins lockout response code to HTTP 429

[jakebathman]

Currently, a user that attempts too many incorrect logins receives a response with an HTTP status code 423 with the message Too many login attempts. Please try again in :seconds seconds.

HTTP 423 is the wrong code for this; it's meant for WebDAV to indicate that a resource (file) is locked, as described in RFC 4918, not that a user account is locked.

The appropriate code is 429 which matches the current return code in ThrottleRequestsException thrown by the generic ThrottleRequests middleware.

This will be a breaking change, and is therefore targeted to the 5.7 release.

Let me know if anyone has questions or comments. Thanks!

[tillkruss]

Surprising nobody noticed that until now.

[laurencei]

So given we now have ThrottleRequestsException - is thowing a ValidationException even the right response in the first place?

There is no validation error - so why throw a validation response?

We can DRY this up and just throw a ThrottleRequestsException here cant we?

[taylorotwell]

Fixed on 5.6 as really a bug.