Some applications have validation rules for sign up such as
Password must have at least 8 characters with one number, a special character.....
Your username cannot be longer than 15 characters
If, for instance, an application has a username/email field and password field for login, and the user does not conform to the application's validation rules, is it ok to return a 401 HTTP status code, without checking the database to see if the credentials match?
The way I see it, the major positive is that you won't be making unnecessary database checks since you know the data cannot be valid anyway. However, this still feels wrong to me, almost as if there's a vulnerability ( I can't quite place my finger on any) or some rule is being violated.
Another possible issue with returning a 401 without making database calls could be if the application's validation rules change, then a username/password that was once invalid could become valid. However, it's nothing some unit tests cannot help detect.
With all that being said, is it appropriate to return a 401 HTTP Status Code without checking the database, when a user tries to login?
From the HTTP's protocol point, it absolutely does not matter why a password is incorrect. A server can do what ever works best for checking.