SECURITY: don't grant same privileges to user_api and api access

User API is no longer gets bypasses that standard API gets.
Only bypasses are CSRF and XHR requirements.

lib/auth/current_user_provider.rb

@@ -25,6 +25,10 @@ class Auth::CurrentUserProvider
     raise NotImplementedError
   end
 
+  def is_user_api?
+    raise NotImplementedError
+  end
+
   # we may need to know very early on in the middleware if an auth token
   # exists, to optimise caching
   def has_auth_cookie?