check user.expiration_date in API
user.expiration_date
is usually checked in a middleware. The authentication we use for the API is not compatible with that, so we need to add this explicitly. I am not sure whether we really want that.
Making middleware apply to API requests in general is not the best idea IMHO because this would also include AutoLogoutMiddleware
.