Gracefully handle token expiration

[ianlivingstone]

If a token expires, or becomes invalid, the daemon does not destroy the session -- instead it will continue to attempt to use its currently stored session until the daemon is restarted or a user explicitly logs out through the CLI.

We should detect this scenario and destroy the session if a 401 is returned.

[ianlivingstone]

Thoughts @jeffandersen @jbowes @jelmersnoeck ?

[jeffandersen]

You're gonna get a 401 back on requests which you're denied through ACL, so forcing you to log in again after that would suck.

This might involve adding a route specific to just testing auth, and ensure that we call that first?

Unless we can start storing the expiry alongside the token and just have the daemon check that locally first.

[ianlivingstone]

You're gonna get a 401 back on requests which you're denied through ACL, so forcing you to log in again after that would suck.

Yeah, we'd need to differentiate between an unauthorized access error and invalid session -- ideally through the error message type or some other piece of meta data.

[ianlivingstone]

We should probably differentiate between Forbidden access and not having a valid session (Unauthorized) to support this feature appropriately.