Change request error code for invalid login attempts

Currently, the returned error code is 400 (Bad request). I think this is a bit strange, especially from a front-end perspective. Using 401 (Unauthorized) or 403 (Forbidden) seems more appropriate. 