I am implementing a simple registation/login module.
While testing user credentials, I start thinking which HTTP status code will be appropriate, for the situation if a user send a request with incorrect credentials.
At first, I thought 401 Unauthorized would be a nice status code, but it seems it will be better to use it when a user is trying to get some resource without authorisation.
After, I switched to 409 Conflict
This code is only allowed in situations where it is expected that the user might be able to resolve the conflict and resubmit the request.
So, friends, please give me an advise, which status code should be used.
If you use HTTP authentication as defined by RFC 7235, 401 would be correct (for missing or incorrect credentials). Howewer you have to implement WWW-Authenticate header field.
Otherwise, use RFC 7231 6.5.3. 403 Forbidden.
Note though that 404 is also applicable as per the above link:
An origin server that wishes to "hide" the current existence of a forbidden target resource MAY instead respond with a status code of 404 (Not Found).