Clarify 401 and 403.

[Zegnat]

These are small tweaks to the description of 401 (for /test) and 403 (for both / and /test) in the most NON-BREAKING way possible.

1. When the client forgets to send a password, or sends an empty password, the server should respond with a 403 Forbidden.

2. When the client is testing the server configuration (/test) respond with a 401 Unauthorized in case no password has been configured by the server.

   Also note that this is only defined for /test and servers should not respond with 401 Unauthorized when a client is trying to upload an image to /.

PhotoBackup/server-php already adhere to this. The Python implementation does not: PhotoBackup/server-bottle#8.

These are the wrong HTTP status code, e.g. 401 Unauthorized should be used where 403 Forbidden is used. This pull to API v2 does not change any codes because it should be NON-BREAKING. (API v3 should fix this.) See PhotoBackup/api#2 for more discussion and planning for v3 (which will be BREAKING).

[stephanepechard]

Thanks for this, would you have time for a first draft of v3?