fix(admin): require admin key for schema validate endpoint

[shreemaan-abhishek]

Description

The /apisix/admin/schema/validate/* handler in apisix/admin/init.lua does not call set_ctx_and_check_token(), unlike every other Admin API handler. As a result, the endpoint accepts unauthenticated requests even when admin_key_required is enabled (the default in production), returning the body validation result (e.g. 400) instead of the expected 401 Unauthorized.

Reproduction (against a default-config 3.x APISIX instance):

$ curl -s -o /dev/null -w "%{http_code}" http://127.0.0.1:9180/apisix/admin/routes
401

$ curl -s -w "\nHTTP: %{http_code}\n" -X POST \
    http://127.0.0.1:9180/apisix/admin/schema/validate/routes \
    -H "Content-Type: application/json" -d '{}'
{"error_msg":"allOf 1 failed: value should match only one schema, but matches none"}
HTTP: 400

The behaviour also contradicts the Admin API documentation, which shows the request being sent with X-API-KEY: $admin_key.

Impact

• Unauthenticated access to schema validation
• Information disclosure via detailed validation error messages
• Potential ReDoS surface without rate limiting
• Affects the etcd config provider (default production deployment)

Fix

Add set_ctx_and_check_token() as the first call in schema_validate(), matching every other handler in the file (run, get_plugins_list, post_reload_plugins, standalone_run, validate_configs).

Tests

Added three cases in t/admin/token.t covering the schema-validate endpoint:

• without token -> 401
• with wrong token -> 401
• with the correct token -> 200

Reported privately by Kacper.

Which issue(s) this PR fixes:

Fixes #

Checklist

• I have explained the need for this PR and the problem it solves
• I have explained the changes or the new features added to this PR
• I have added tests corresponding to this change
• I have updated the documentation to reflect this change
• I have verified that this change is backward compatible (If not, please discuss on the APISIX mailing list first)