diff --git a/core/server/services/auth/api-key/admin.js b/core/server/services/auth/api-key/admin.js
index 7f65c301a5..9e431a3bba 100644
--- a/core/server/services/auth/api-key/admin.js
+++ b/core/server/services/auth/api-key/admin.js
@@ -141,7 +141,18 @@ const authenticateWithToken = (req, res, next, {token, JWT_OPTIONS}) => {
             return next(new errors.InternalServerError({err}));
         }
 
-        // authenticated OK, store the api key on the request for later checks and logging
+        // authenticated OK
+
+        if (apiKey.get('user_id')) {
+            // fetch the user and store it on the request for later checks and logging
+            models.User.findOne({id: apiKey.get('user_id')}).then((user) => {
+                req.user = user;
+                next();
+            });
+            return;
+        }
+
+        // store the api key on the request for later checks and logging
         req.api_key = apiKey;
         next();
     }).catch((err) => {
diff --git a/core/server/services/auth/session/middleware.js b/core/server/services/auth/session/middleware.js
index 45de4ab93f..c62532e94c 100644
--- a/core/server/services/auth/session/middleware.js
+++ b/core/server/services/auth/session/middleware.js
@@ -20,7 +20,11 @@ function SessionMiddleware({sessionService}) {
     async function authenticate(req, res, next) {
         try {
             const user = await sessionService.getUserForSession(req, res);
-            req.user = user;
+            if (user) {
+                // Do not nullify `req.user` as it might have been already set
+                // in a previous middleware (authorize middleware).
+                req.user = user;
+            }
             next();
         } catch (err) {
             next(err);