New Rule: Require reference to `sessionToken` cookie in API route handlers

[karlhorky]

A very common security problem in student projects is not referencing the sessionToken cookie within an API route (leaving it unprotected and open to anyone who wants to hit the API endpoint with Postman or a script or similar)

We should check all API route handlers that the user writes (the default export in all files in the pages/api folder - check out the no-document-import-in-page rule for implementation hints), to make sure that they are referring to sessionToken somewhere

Students can "opt out" of this behavior by writing unprotected at the start of the function name (so they do this while being aware of it) eg. unprotectedUsersHandler