Fix the response status code when authenticating with wrong credentials

[cheriimoya]

I read through https://www.django-rest-framework.org/community/contributing/, but it looks like the GitHub discussion page is gone. Also the issues page is not available. This is why I decided to open this PR without contacting anyone in advance.

Description

This PR started, when I wanted to authenticate via token auth in a test.
I sent the username and password and I received 400 bad request.
Then, I double checked in my development setup and everything worked.
Thing was, I forgot to create the user account in the test.

Anyway, I got the 400 instead of the 401, which would have been way more clear to me.
This is why I decided to open this PR.
The changed behavior conforms to RFC9110, see https://www.rfc-editor.org/rfc/rfc9110#section-15.5.2-2 where it says to return 401 on failed attempts.
Also, I fixed the failing tests where I think DRF should return 401 instead of 403.

[tomchristie]

The note on that page is clear...

Note

At this point in its lifespan we consider Django REST framework to be feature-complete. We focus on pull requests that track the continued development of Django versions, and generally do not accept new features or code formatting changes

Perhaps someone could issue a change adding a PR template, helping ensure that we're not wasting effort like this.

[ulgens]

Wouldn't this count as a bugfix?

[tomchristie]

In this instance no. There is history and an intentional design decision here.

Moreover a change here would be disruptive and break existing expected behaviour in deployed systems.