3.0.0

Renamed res.sendUnauthorized to res.sendUnauthenticated. In preparation for upcoming work to introduce scopes, we need to be more precise about differentiating authentication from authorization, and the purpose of this method was really to signal failed authentication, so it should be named as such. Once scopes are introduced, res.sendUnauthorized will return, but with different semantics that more accurately reflect its name.

For the ROPC flow, changed the error_type value for usernames/passwords that fail the grantUserToken hook to be invalid_grant, instead of invalid_client. Per RFC 6749 §5.2, this is more correct; invalid_client should be reserved for invalid client credentials, whereas invalid_grant is the right error type for invalid resource owner credentials.