401 response includes WWW-Authenticate header

[joaoag]

Summary

• Adds WWW-Authenticate: Bearer realm="VTN" header to all 401 responses from AppError.
• The OAuth token endpoint (ResponseOAuthError in auth.rs) already returned this header for InvalidClient, so this PR closes the gap for bearer token auth failures (invalid/expired JWT, unparseable subject).

Approach

• Considered restructuring the AppError::into_response() match to return response tuples from every arm, but instead went for inserting header post-match, based on the response status code.
• This keeps the existing match structure untouched, at the cost of inconsistency, with a special step just for the Unauthorized arm
• Very open to other ways of doing this!

Changes

• error.rs: Insert WWW-Authenticate header after response construction when status is 401
• user.rs: Add header assertions to delete_credential and delete_user tests

[codecov]

Codecov Report

❌ Patch coverage is 50.00000% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 83.30%. Comparing base (169eb52) to head (02da5df).

Files with missing lines	Patch %	Lines
openleadr-vtn/src/error.rs	50.00%	4 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #457      +/-   ##
==========================================
- Coverage   83.34%   83.30%   -0.04%     
==========================================
  Files          50       50              
  Lines        7353     7360       +7     
==========================================
+ Hits         6128     6131       +3     
- Misses       1225     1229       +4     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.