Rest API Authorization

https://docs.woocommerce.com/wc-apidocs/source-class-WC_REST_Authentication.html does not seem to be working as it should.
On the site I’m building it lets anyone access for example /wp-json/wc/v1/orders which is unacceptable. When debugging I find that the $user variable don’t ever get set. Because there are no basic_auth parameters the perform_basic_authentication() returns on line 157. $this->perform_oauth_authentication() is then returned in the authenticate() function on line 89 and since there are no oauth parameters the perform_oauth_authentication() function returns false on line 319. All this is before any setting of the $user variable.

This in turn leads to the check_user_permissions() function to directly return $result (which is empty) on line 608. That as far as I can see leads to wordpress delivering the data because no error was thrown when checking permissions in woocommerce.

Is this a real bug or what am I missing?