expired user macaroons should not prevent downloading otherwise public snaps

<pedronis> cjwatson: hi, I saw a strange behavior on saturday, I was trying to install "pc" (a gadget) that is public, apparently I had a fully expired macaroon (or so I think), I got a 401 from the dowload, but without doing anything I didn't get one installing hello-world, wondering what's different between those snaps. It wored after I relogged in
 *worked
 fully expired user macaroon
<cjwatson> pedronis: Do you remember roughly how soon after your attempt to install pc you installed hello-world?
<cjwatson> Your macaroon was indeed expired, kibana confirms that
<pedronis> cjwatson: time of removing it and installing it again
 but did't relogin in between
 did that after
 cjwatson: basically couple of tries with pc getting 401, tried hello-world, remove it, tried again, worked, relogged in, now pc worked too
<cjwatson> pedronis: There's a request at about the right time but it's from a different snapd version
<cjwatson> ten seconds after the last of the three failed pc requests
<cjwatson> pedronis: And the hello-world request seems to have come in without an Authorization header (I think)
<pedronis> cjwatson: ah, maybe I had hello-world cached, mmh, anyway is this intended behavior? won't it prevent devices with an expired user macaroon to refresh public snaps
<cjwatson> pedronis: I think it was existing behaviour before my changes
<pedronis> mmh
<wgrant> Hm, that definitely wasn't meant to be the case.
 But it's only been possible since recently due to the 12month thing so maybe
<pedronis> we definitely re-designed install/refresh to make that work, so we need to decide/reconcile the bahaviors
 *behaviors
<cjwatson> Let me check though
<facubatista> Muy buenos días a todos!
<cjwatson> Ah, hm, maybe not; devportal.api.auth.authenticate would return None in that case and so the old handler would just have not tracked the download