[feature] Enforce OAuth token scopes (#3835)

* move tokenauth to apiutil

* enforce scopes

* docs

* update test models, remove deprecated "follow"

* file header

* tests

* tweak scope matcher

* simplify...

* fix tests

* log user out of settings panel in case of oauth error

internal/api/client/instance/instancepatch_test.go

@@ -544,7 +544,7 @@ func (suite *InstancePatchTestSuite) TestInstancePatch5() {
 	b, err := io.ReadAll(result.Body)
 	suite.NoError(err)
 
-	suite.Equal(`{"error":"Forbidden: user is not an admin so cannot update instance settings"}`, string(b))
+	suite.Equal(`{"error":"Forbidden: token has insufficient scope permission"}`, string(b))
 }
 
 func (suite *InstancePatchTestSuite) TestInstancePatch6() {