Avoid 500 response codes

[ejnnr]

There are currently a lot of cases where 500 is returned when there would be a better alternative:

• When an invalid game is shown (should be stopped by returning 422 on creation)
• When a non-authenticated user tries to access /api/user (should be 401)
• When trying to access a non-existent resource id (should be 404)

Also 403 should be turned to 401 if the client isn't authenticated.