API authorization silently ignored if access token has expired

[robertknight]

Originally reported in the context of https://github.com/elifesciences/annotations/pull/62 .

If an API request is made with an invalid or expired access token in the Authorization: Bearer $TOKEN header then the invalid token is currently silently ignored and the request proceeds as if it were unauthenticated.

For API requests that must be authenticated, this is not developer friendly because the problem is not clearly communicated in the response. It also requires developers to do more work to track when they need to refresh a token, since they can't simply rely on getting a machine-readable error if they tried to use an expired token. For requests where authentication is optional the behaviour is arguably worse because the API will simply respond as if the user were anonymous. Depending on the context that could lead a user of a third-party client to think their (non-public) data had been deleted.

My suggestion is that if an Authorization header is provided and if the token is not valid, we should instead raise the appropriate 4xx error with a helpful JSON response.

[thewilkybarkid]

I'd expect a 401 Unauthorized response if the token has expired or been revoked.