Revoked API token authenticates as anonymous access

  1. When I use wrong (non-existing) API token (e.g. mistype), API returns standard 401 error.
  2. When I use revoked token, then API switches to anonymous access.
  3. When I use valid token with another email address - e.g. userX token for userY email, then API switches to anonymous access.

The behaviour should be same - API should return 401 for any invalid API token, does not matter if it is revoked or used with wrong email.

See also https://community.atlassian.com/t5/Jira-questions/API-Token-expiry-and-error-handling/qaq-p/1246938

Update: One more problem. When a user is suspended (revoked) from the project, then API returns 401 properly, but the body is HTML error unlike the plain text error message when wrong token is typed.