Return correct http code for bad login params

This tells our generic ajax (Turbo) error handling to ignore the error and let the application display the response as usual.

app/controllers/spree/user_sessions_controller.rb

@@ -28,7 +28,7 @@ module Spree
         message = t('devise.failure.invalid')
         render turbo_stream: turbo_stream.update(
           'login-feedback', partial: 'layouts/alert', locals: { message:, type: 'alert' }
-        ), status: :unauthorized
+        ), status: :unprocessable_entity
       end
     end
 

spec/controllers/spree/user_sessions_controller_spec.rb

@@ -39,7 +39,7 @@ RSpec.describe Spree::UserSessionsController do
         spree_post :create, spree_user: { email: user.email, password: "wrong" },
                             format: :turbo_stream
 
-        expect(response).to have_http_status(:unauthorized)
+        expect(response).to have_http_status(:unprocessable_entity)
         expect(response.body).to include "Invalid email or password"
       end
     end