FEATURE: Allow parameter authentication for UserApiKeys (PR #9742)

This refactors default_current_user_provider in a few ways:

  • Introduce a generic api_parameter_allowed? method which checks for whitelisted routes/formats
  • Only read the api_key parameter on allowed routes. It is now completely ignored on other routes (previously it would raise a 403)
  • Start reading user_api_key parameter on allowed routes
  • Refactor tests as end-end integration tests

Allowing plugins to extend PARAMETER_API_PATTERNS would be possible. But the blanket whitelist of ics and rss should be enough for now. If there is demand, we can add an API in future.