We currently use @login_required on a number of API endpoints. This means that if a client tries to access it while logged out, a redirect is issued to the login page. This makes sense if the user is in a browser, but does not make sense if it's an automated API which expects to receive JSON.

We should create a new decorator, @api_login_required which returns HTTP 401 and a json message if the request is not authenticated and apply it to all API endpoints that return JSON.