API request with API Token requires CSRF token

[taslangraham]

Describe the bug
The CSRF Token section of the PKP documentation states that

CSRF tokens are not required for requests to the API when the API Token is used.

However, the following CSRF error response is returned when requests (PUT, DELETE, POST) are made to the API with the API Token:
"error": "The form could not be submitted. You may have been logged out. Please reload the page and try again."

To Reproduce
Steps to reproduce the behavior:
To reproduce using Postman or a similar

1. Log in
2. Navigate to the User Profile section and select the API Key tab
3. Click the Create API Key button to create an API key
4. Follow steps here to setup PKP collection in postman with API Token
5. Make a PUT, DELETE, or POST request.
6. Observe response

What application are you using?
OJS (main)

Additional information
Please add any screenshots, logs or other information we can use to investigate this bug report.

[taslangraham]

@touhidurabir This issue was introduced via the work done on #7698.

The isApiRequest method checks for the apiToken in the request's query params, however, the token exists in the authorization header.

I'll open a PR with a fix

[taslangraham]

PR - https://github.com/pkp/pkp-lib/pull/10286/files @touhidurabir

[touhidurabir]

@taslangraham I added a suggestion at https://github.com/pkp/pkp-lib/pull/10286/files#r1708717742 . Also do a sub module commit and app level to PR so that we can confirm all tests are passing before merging it .

[taslangraham]

@touhidurabir I've made the suggested changes. I've also included a comment indicating that the use of API Token in query param was deprecated in 3.4.

Additionally, I created tests PRs for each app:
ojs - pkp/ojs#4391
omp - pkp/omp#1667
ops - pkp/ops#746

[touhidurabir]

@taslangraham I have merged the pkp-lib PR at #10286 and will let the sub module get updated later .