Add additional validation checks

These additional checks aren't necessary in theory (and we do already have tests covering these edge cases), but I think they still make sense to make them explicit and to be more resilient against potential future changes.

aleph/model/role.py

@@ -1,7 +1,7 @@
 import logging
 from datetime import datetime, timezone
 from normality import stringify
-from sqlalchemy import or_, not_, func
+from sqlalchemy import and_, or_, not_, func
 from itsdangerous import URLSafeTimedSerializer
 from werkzeug.security import generate_password_hash, check_password_hash
 
@@ -197,13 +197,18 @@ def by_email(cls, email):
 
     @classmethod
     def by_api_key(cls, api_key):
-        if api_key is None:
+        if api_key is None or not len(api_key.strip()):
             return None
 
         q = cls.all()
 
         digest = hash_api_key(api_key)
-        q = q.filter(cls.api_key_digest == digest)
+        q = q.filter(
+            and_(
+                cls.api_key_digest != None,  # noqa: E711
+                cls.api_key_digest == digest,
+            )
+        )
 
         utcnow = datetime.now(timezone.utc)
         # TODO: Exclude API keys without expiration date after deadline