Clarify OAuth authorization required for GET /api/v1/statuses/:id/source

[ThisIsMissEm]

Pitch

Currently the documentation says it's requiring an App token (client credentials grant flow), but it looks like it may require the same authentication as the statuses endpoints, which is typically a user token if supplied.

GET /api/v1/statuses/:id uses:

before_action -> { authorize_if_got_token! :read, :'read:statuses' }

GET /api/v1/statuses/:id/source uses:

before_action -> { doorkeeper_authorize! :read, :'read:statuses' }

Which makes it require an access token with read or read:statuses scopes. It doesn't make any assertions about requiring a user, so would technically work for both User tokens and App tokens (access tokens and client credentials respectively).

We may need some better helper methods that are more clear in their assertions, e.g., require_user_scopes :read, :'read:statuses' or something?

It's important to note that both authorize_if_got_token! and doorkeeper_authorize! will work for both user-scoped access tokens and for client credentials, in the first case the access token will have a resource_owner_id set, and client credentials will not (since they're not tied to a user but to an application)

We also have require_user! which is often used in combination with the above, which assertions that the token is a access token tied to a user who is confirmed, approved, and functional.

Motivation

This was noted whilst reviewing our usage of the OAuth Client Credentials Grant Flow

[ThisIsMissEm]

Relates to #34316