Throw error when failing to introspect token instead of returning public incoming payment

[mkurapov]

Context

When we do GET /incoming-payment/:id via Open Payments APIs, we return either a "private" incoming payment (that requires an access token in the request) or a "public" incoming payment that returns less details, and that does not require an access token.

Currently, when we receive a request to this route, we always do a token introspection check and a signature verification. If those checks end up throwing an error, we suppress the error (via bypassError: true flag), and just return the public incoming payment instead:

rafiki/packages/backend/src/app.ts

Lines 573 to 580 in b08a157

	createTokenIntrospectionMiddleware({
	requestType: AccessType.IncomingPayment,
	requestAction: RequestAction.Read,
	bypassError: true
	}),
	authenticatedStatusMiddleware,
	getWalletAddressForSubresource,
	incomingPaymentRoutes.get

However, this seems like a wrong behaviour: if the user of the Open Payments client is making a request to get an incoming payment with an access token, then the expected result is receiving the incoming payment with all of the details or an error notifying the client about an invalid token, instead of a public incoming payment.

If the signature is invalid however (but token is not provided), we can still return the public incoming payment, since the intention of the client is just to get the public incoming payment still.

Tasks

• if an accessToken is provided with the request to get an incoming payment, and the token is invalid, we should fail with a 401 error instead of returning a public incoming payment