do not send RTR_ERROR for regular 403 responses

An API may respond with a 403 because an AT is missing (which should
invoke RTR), because an RT is missing (which should generate an error
and end the session), or because a valid AT is inadequate to perform the
requested action. Previously, all three were handled the same way. Now,
only an actual RTR-failure will result in sending an `RTR_ERROR` event.

In other cases, no event is dispatched and the response is returned
as-is.

src/service-worker.js

@@ -285,14 +285,27 @@ const passThroughWithAT = (event) => {
   if (shouldLog) console.log('-- (rtr-sw)    (valid AT or authn request)');
   return fetch(event.request, { credentials: 'include' })
     .then(response => {
-      if (response.ok) {
-        return response;
-      } else {
-        // we thought the AT was valid but it wasn't, so try again.
-        // if we fail this time, we're done.
-        if (shouldLog) console.log('-- (rtr-sw)    (whoops, invalid AT; retrying)');
-        return passThroughWithRT(event);
+      // Handle three different situations:
+      // 1. 403: AT was expired (try RTR)
+      // 2. 403: AT was valid but corresponding permissions were insufficent (return response)
+      // 3. *: Anything else (return response)
+      if (response.status === 403 && response.headers['content-type'] === 'text/plain') {
+        return response.clone().text()
+          .then(text => {
+            // we thought the AT was valid but it wasn't, so try again.
+            // if we fail this time, we're done.
+            if (text.startsWith('Token missing')) {
+              if (shouldLog) console.log('-- (rtr-sw)    (whoops, invalid AT; retrying)');
+              return passThroughWithRT(event);
+            }
+
+            // we got a 403 but not related to RTR; just pass it along
+            return response;
+          });
       }
+
+      // any other response should just be returned as-is
+      return response;
     });
 };