Issue #2901574 by Wim Leers: Requests to log in (cookie auth) via /user/login?_format=json result in 403 without helpful message

core/modules/user/src/Access/LoginStatusCheck.php

@@ -26,7 +26,11 @@ class LoginStatusCheck implements AccessInterface {
   public function access(AccountInterface $account, Route $route) {
     $required_status = filter_var($route->getRequirement('_user_is_logged_in'), FILTER_VALIDATE_BOOLEAN);
     $actual_status = $account->isAuthenticated();
-    return AccessResult::allowedIf($required_status === $actual_status)->addCacheContexts(['user.roles:authenticated']);
+    $access_result = AccessResult::allowedIf($required_status === $actual_status)->addCacheContexts(['user.roles:authenticated']);
+    if (!$access_result->isAllowed()) {
+      $access_result->setReason($required_status === TRUE ? 'This route can only be accessed by authenticated users.' : 'This route can only be accessed by anonymous users.');
+    }
+    return $access_result;
   }
 
 }

core/modules/user/tests/src/Functional/UserLoginHttpTest.php

@@ -181,6 +181,11 @@ class UserLoginHttpTest extends BrowserTestBase {
     $this->assertEquals($account->getRoles(), $result_data['current_user']['roles']);
     $logout_token = $result_data['logout_token'];
 
+    // Logging in while already logged in results in a 403 with helpful message.
+    $response = $this->loginRequest($name, $pass, $format);
+    $this->assertSame(403, $response->getStatusCode());
+    $this->assertSame(['message' => 'This route can only be accessed by anonymous users.'], $this->serializer->decode($response->getBody(), $format));
+
     $response = $client->get($login_status_url, ['cookies' => $this->cookies]);
     $this->assertHttpResponse($response, 200, UserAuthenticationController::LOGGED_IN);