Arvados

Workbench 1 appends the anonymous user token in a "reader token" to each GET request to make sure that content shared with the anonymous user is available to authenticated users, even if not shared with explicitly with them.

Controller just appends any reader tokens received to the token list for the request.

API uses reader_tokens for GET requests in (services/api/app/controllers/application_controller.rb).

But it also does something else; in services/api/app/middlewares/arvados_api_token.rb it seems that if the primary session token is not valid, the first working reader token is used instead.

Workbench 2 does not use reader_tokens (which means authenticated users can not access data only shared with the anonymous user!).

Nothing else in our codebase appears to use reader_tokens.

Our documentation does not mention reader_tokens.

#18937 is about simplifying the anonymous token configuration - basically, doing away with the need for an anonymous token at all. Once that is done, we can remove the controller and API code that handles reader_tokens. Maybe log a warning if a reader token is used (though, as long as WB1 is around, that's going to generate a lot of noise in the logs)?