- When I use wrong (non-existing) API token (e.g. mistype), API returns standard 401 error.
- When I use revoked token, then API switches to anonymous access.
- When I use valid token with another email address - e.g. userX token for userY email, then API switches to anonymous access.
The behaviour should be same - API should return 401 for any invalid API token, does not matter if it is revoked or used with wrong email.
Update: One more problem. When a user is suspended (revoked) from the project, then API returns 401 properly, but the body is HTML error unlike the plain text error message when wrong token is typed.