No way to discern between internal errors and unauthorized access.

[peeveen]

When the unauth_action parameter is set to pass or deny, the authenticate() method will return a non-nil value for err in certain circumstances (e.g. no existing authentication, or expired refresh token).

Without performing string comparisons on the returned error message (never a good idea), the calling code cannot discern between any of the various unrecoverable internal errors (for which it might want to return a 500 response code) and these expected "unauthorized access" scenarios (for which it would probably want to return a 401 response code).