Always grant master API keys sudo mode

framework/core/src/Api/ApiKey.php

@@ -42,15 +42,4 @@ class ApiKey extends AbstractModel
 
         return $key;
     }
-
-    /**
-     * Get the given key only if it is valid.
-     *
-     * @param string $key
-     * @return static|null
-     */
-    public static function valid($key)
-    {
-        return static::where('id', $key)->first();
-    }
 }

framework/core/src/Core/Access/AssertPermissionTrait.php

@@ -75,7 +75,7 @@ trait AssertPermissionTrait
     {
         $session = $request->getAttribute('session');
 
-        if (! $session || $session->get('sudo_expiry') < new DateTime) {
+        if ($session && $session->get('sudo_expiry') < new DateTime) {
             throw new InvalidAccessTokenException;
         }
     }

framework/core/src/Http/Middleware/AuthenticateWithHeader.php

@@ -10,6 +10,7 @@
 
 namespace Flarum\Http\Middleware;
 
+use DateTime;
 use Flarum\Api\ApiKey;
 use Flarum\Core\User;
 use Flarum\Http\AccessToken;
@@ -36,8 +37,10 @@ class AuthenticateWithHeader implements MiddlewareInterface
         if (isset($parts[0]) && starts_with($parts[0], $this->prefix)) {
             $id = substr($parts[0], strlen($this->prefix));
 
-            if (isset($parts[1]) && ApiKey::valid($id)) {
+            if (isset($parts[1]) && ApiKey::find($id)) {
                 $actor = $this->getUser($parts[1]);
+
+                $request->getAttribute('session')->set('sudo_expiry', new DateTime);
             } elseif ($token = AccessToken::find($id)) {
                 $token->touch();