This refactors default_current_user_provider in a few ways:
- Introduce a generic
api_parameter_allowed?method which checks for whitelisted routes/formats
- Only read the api_key parameter on allowed routes. It is now completely ignored on other routes (previously it would raise a 403)
- Start reading user_api_key parameter on allowed routes
- Refactor tests as end-end integration tests
Allowing plugins to extend PARAMETER_API_PATTERNS would be possible. But the blanket whitelist of ics and rss should be enough for now. If there is demand, we can add an API in future.