fix: return 401 instead of 500 for invalid bearer tokens (IS-5805)

[mykyta-batalov]

Summary

• Invalid/expired/empty bearer tokens caused the OIDC plugin to return HTTP 500 instead of 401
• The plugin fell through verify_bearer_jwt() → introspect() → make_oidc(), where resty.openidc.authenticate() failed with a non-standard error string, triggering the catch-all 500 at handler.lua:106
• Added short-circuit 401 responses after failed JWT verify and introspection when a bearer token is detected via has_bearer_access_token()
• Browser/session flows (no bearer token) are unaffected — they still fall through to make_oidc()

Branch restructuring

• Created v2 branch to preserve the v2.0.x work (23 commits)
• Reset master to v1.4.0-7 (current production) so this fix targets the deployed version
• Tagged as v1.4.0-8

Test plan

• Deploy to stage and test with an invalid bearer token → should now return 401
• Test with an empty bearer (Authorization: Bearer ) → should return 401
• Test with a valid bearer token → should work as before (200)
• Test with no Authorization header (browser flow) → should redirect to OIDC provider as before

Jira: IS-5805

🤖 Generated with Claude Code

[unblocked]

✅ No issues found

About Unblocked

Unblocked has been set up to automatically review your team's pull requests to identify genuine bugs and issues.

📖 Documentation — Learn more in our docs.

💬 Ask questions — Mention @unblocked to request a review or summary, or ask follow-up questions about your code.

👍 Give feedback — React to comments with 👍 or 👎 to help us improve.

⚙️ Customize — Adjust settings in your preferences.