Revoked API token authenticates as anonymous access

  1. When I use wrong (non-existing) API token (e.g. mistype), API returns standard 401 error.
  2. When I use revoked token, then API switches to anonymous access.
  3. When I use valid token with another email address - e.g. userX token for userY email, then API switches to anonymous access.

The behaviour should be same - API should return 401 for any invalid API token, does not matter if it is revoked or used with wrong email.

See also

Update: One more problem. When a user is suspended (revoked) from the project, then API returns 401 properly, but the body is HTML error unlike the plain text error message when wrong token is typed.