The /login endpoint could be used to produce a UI sign-in webpage with custom error messages. To do this you should simply add the loginErrorMessage variable in your GET request:
&loginErrorMessage=Account%20Blocked%0APlease%20send%20your%20Email%20and%20Password%20to%20xyz@abc.com%20to%20unblock%20your%20account.
(Note that this variable is not even reported in your official documentation )
This�behaviour could be exploited by an attacker to create URLs for phishing purposes.
Is there a way to set a static message? Or to disable the login error message?
