Ensure secured API key param `restrictSources` only accepts string

[aseure]

When generating secured API keys, an optional restrictSources
parameter can be used as a string (such as "192.168.1.0" or
"192.168.1.0/24"). We discovered that some API clients wrongly accept other
types (such a list of strings, etc.) which is wrong.

Could you make sure that restrictSources only accepts string as a valid type
as a secured API keys parameter?