Fixed source attribution for staff token API requests

closes https://github.com/TryGhost/Toolbox/issues/386

- When the API request was made using staff token the source attribution was "user" instead of "api". Misattribution caused ripple effects in  limit service.
- The fix also adds a new combination of data available on the  `req` object - both `user` and `api_key` can be present when the request is done using a staff (user) token. Having both pieces of data on the request object gives more context for business logic, did not find a good reason to keep it "pure" with either `api_key` or `user` property.

ghost/core/core/server/services/auth/api-key/admin.js

@@ -181,9 +181,6 @@ const authenticateWithToken = async (req, res, next, {token, JWT_OPTIONS}) => {
             );
 
             req.user = user;
-
-            next();
-            return;
         }
 
         // store the api key on the request for later checks and logging

ghost/members-api/lib/repositories/member.js

@@ -105,10 +105,10 @@ module.exports = class MemberRepository {
             source = 'import';
         } else if (context.internal) {
             source = 'system';
-        } else if (context.user) {
-            source = 'admin';
         } else if (context.api_key) {
             source = 'api';
+        } else if (context.user) {
+            source = 'admin';
         } else {
             source = 'member';
         }

ghost/members-api/test/unit/lib/repositories/member.test.js

@@ -32,7 +32,7 @@ describe('MemberRepository', function () {
                 user: true,
                 api_key: true
             });
-            assert.equal(source, 'admin');
+            assert.equal(source, 'api');
             
             source = repo._resolveContextSource({
                 api_key: true