Currently, only users logged in via blender id can use the manager's interface actions, such as create_new(), revoke_auth_token(), as well as the PATCH eve call used to edit managers.
This is because the only method being used to authenticate users is the validate_token() method that is ran before every request is processed.
The validate_token() can find a user if one of the following is true:
- a token is provided via a Bearer Authorization header.
- a blender id token is provided via a session cookie.
My proposal is to change the second option to not only accept blender id tokens, but any other provided token that is stored in the database and is provided via the session cookie.