requires_login shouldn't redirect on XHR

An XHR request without credentials will currently attempt to redirect to `/login`, which breaks UI as JS will attempt to follow the redirect instead of recognising the lack of access. XHR login fails should return with a 401 instead and perhaps a JSON body `{"status": "error", "error": "login_required"}`.