The APIs using login_user are currently not following the API
conventions for non-SSO related authentication errors, by returning a
200 status code for errors.
In addition to switching the status code from 200 => 400 for
authentication failures, the following minor changes were made:
- Document and refactor an existing authn switch.
- Remove an unused url definition for login_ajax + error.
BREAKING CHANGE: This changes /login_post and /login_ajax to return
400, rather than 200, when success=False in the returned JSON (for
non-SSO related authentication errors).
To remove risk around this change, it was added behind a waffle switch
named `user_authn.update_login_user_error_status_code`.
A breaking change was made, rather than introducing /login_ajax_new,
in order to more quickly get to our end goal of the current clean-up
effort of having a single function for login. If this breaks any
callers, we may fix or abandon this change altogether.
ARCH-1253
5aa6181f85