Require an API key for all SQL queries

This was spotted by a client pentest and was required to be fixed

Author: Alberto Miedes Garcés

lib/api/middlewares/authorization.js

@@ -8,7 +8,7 @@ module.exports = function authorization (metadataBackend, forceToBeMaster = fals
         const { user } = res.locals;
         const credentials = getCredentialsFromRequest(req);
 
-        if (!userMatches(credentials, user)) {
+        if (!userMatches(credentials, user) || !credentials.apiKeyToken) {
             req.profiler.done('authorization');
 
             return next(new Error('permission denied'));