fix: [authkey] should only be used in a rest context

- otherwise some weird authentication snafus can happen
- as reported by SK-CERT

src/Controller/AppController.php

@@ -99,8 +99,8 @@ class AppController extends Controller
     {
         $this->loadModel('Users');
         $this->Users->checkForNewInstance();
-        $this->authApiUser();
         if ($this->ParamHandler->isRest()) {
+            $this->authApiUser();
             $this->Security->setConfig('unlockedActions', [$this->request->getParam('action')]);
         }
         $this->ACL->setPublicInterfaces();