Improve testing around authorization calls

[ChrisWiegman]

This is related to #1722

We need to more adequately ensure that 401 calls originating from previews or the toolbar can not hurt site performance on a production site without a logged-in user. This ticket is to add appropriate testing to Faust.js to prevent regressions in this area in the future.

[blakewilson]

The current issue with the toolbar and auth in general is that currently a request needs to be made to the /api/faust/auth/token endpoint to determine if there is a logged in user.

Traditionally on a page that should only be for authenticated users, this makes sense: we make a request to the token endpoint and if it returns tokens, we know there is a logged in user, if it returns with a 401 response, we know there is no authenticated user and to redirect them to the login page.

With the toolbar, this model is a little difference, since we would like the toolbar to be applied to every page. So, when the toolbar is enabled, a request is made on each page to check if there is an authenticated user. This is not ideal, as we have seen this additional request per page can have unintended consequences.

The challenge here is that we must hit an endpoint to check for an authenticated user. This endpoint though is quite simple. It essentially checks if there is a refresh token in the cookie. This cookie however is httpOnly, meaning it can not be accessed client side for XSS reasons. One of the possible solutions I'm playing with in my head is we can set an additional cookie, that is not httpOnly, that is a boolean value based on if there is a refresh token or not. This is beneficial because we'll be able to check this cookie client side, and potentially not make a request for the tokens if we already know there is not an authenticated user, but also not expose any sensitive data since this cookie will only contain a boolean value.