Allow oauth2 clients to exercise permissions independent to the user

app/routing/middleware/auth/APIRoute.middleware.js

@@ -11,6 +11,7 @@ class APIRouteMiddleware extends Middleware {
             return next()
         } else if ( allow_token ) {
             if ( !req.oauth ) req.oauth = {}
+
             return req.app.oauth2.authorise()(req, res, async e => {
                 if ( e ) return next(e)
                 // Look up the OAuth2 client an inject it into the route
@@ -52,9 +53,9 @@ class APIRouteMiddleware extends Middleware {
 
                 next()
             })
+        } else {
+            return res.status(401).api()
         }
-
-        return res.status(401).api()
     }
 }