SECURITY: don't grant same privileges to user_api and api access

User API is no longer gets bypasses that standard API gets.
Only bypasses are CSRF and XHR requirements.

lib/auth/current_user_provider.rb

@@ -25,6 +25,10 @@ class Auth::CurrentUserProvider
     raise NotImplementedError
   end
 
+  def is_user_api?
+    raise NotImplementedError
+  end
+
   # we may need to know very early on in the middleware if an auth token
   # exists, to optimise caching
   def has_auth_cookie?

lib/auth/default_current_user_provider.rb

@@ -8,6 +8,7 @@ class Auth::DefaultCurrentUserProvider
   USER_API_KEY ||= "HTTP_USER_API_KEY".freeze
   USER_API_CLIENT_ID ||= "HTTP_USER_API_CLIENT_ID".freeze
   API_KEY_ENV ||= "_DISCOURSE_API".freeze
+  USER_API_KEY_ENV ||= "_DISCOURSE_USER_API".freeze
   TOKEN_COOKIE ||= "_t".freeze
   PATH_INFO ||= "PATH_INFO".freeze
   COOKIE_ATTEMPTS_PER_MIN ||= 10
@@ -97,7 +98,7 @@ class Auth::DefaultCurrentUserProvider
       limiter_min.performed!
       limiter_day.performed!
 
-      @env[API_KEY_ENV] = true
+      @env[USER_API_KEY_ENV] = true
     end
 
     @env[CURRENT_USER_KEY] = current_user
@@ -172,7 +173,12 @@ class Auth::DefaultCurrentUserProvider
   # api has special rights return true if api was detected
   def is_api?
     current_user
-    @env[API_KEY_ENV]
+    !!(@env[API_KEY_ENV])
+  end
+
+  def is_user_api?
+    current_user
+    !!(@env[USER_API_KEY_ENV])
   end
 
   def has_auth_cookie?