module permissions handling is broken for mod-authtoken.
1. the call to mod-permissions to expand an extra permission (from a module permission) make an invalid URL, which results in totally wrong permissions returned.
2. when that is fixed, it still fails if caching is enabled for extra permissions. User permissions seem to cache ok.. It's a shared cache and something is fishy.