Deactivated users get an incorrect message when trying to login

[dschreij]

If a deactivated user tries to login, he/she still gets an access token, even though the response's status code (correctly) is 401.
This results in the weird behavior where an error message is shown, but its contents contain a (valid?) access token.

Needless to say, this may also pose a serious security risk if the token can be used to access the system.