feat: interactive authentication for invalid token

[mortenpi]

PkgAuthentication doesn't actually check if the token in auth.toml works, but JuliaHub.jl does (by calling /api/v1). So this makes JuliaHub.authenticate fall back to force=true if it detects that the token auth.toml is actually invalid (but is not expired).

This can happen if the server invalidates the token for some reason. In a nutshell, it treats that case the same as if the token is expired.

I didn't really see an easy way to mock-test the main logic in _authenticate without a lot of refactoring. But it is working locally:

julia> auth = JuliaHub.authenticate("juliahub.com")
┌ Warning: Existing token appears invalid, retrying with `force=true`.
│ Existing auth.toml backed up in: /home/mortenpi/.julia/servers/juliahub.com/auth.toml.25d828ea.backup
└ @ JuliaHub ~/jc/juliahubjl/JuliaHub.jl/src/authentication.jl:289
Authentication required: please authenticate in browser.
The authentication page should open in your browser automatically, but you may need to switch to the opened window or tab. If the authentication page is not automatically opened, you can authenticate by manually opening the following URL: https://juliahub.com/auth/response?1asdu9b32c91b397a9a10vbr2f08a63654
JuliaHub.Authentication("https://juliahub.com", "mortenpi", *****)

[semgrep-code-juliacomputing-new]

Semgrep found 1 no-implicit-return finding:

• src/authentication.jl
  • L259-306 - Triage

Block-form functions should explicity return a value. If no meaningful
value is returned, explicity write return nothing instead.

[pfitzseb]

We know the token is invalid though, so why do we want to keep it around?

[mortenpi]

I don't want to delete user data if they didn't explicitly ask for it. And right now we delete iff force=true.