@v_risalab i figured it out. The acp code uses browserify and the widget code uses webpack!
Restrict access on /users and /api/users if not logged
ACP -> Settings -> Guests
Thanks @pichalite .
Actually the guests can access the /users page and /api/users.
The setting will hide the search fields, but they can see the page anyway and use the pagination to see the users.
I've finally added this on my routeSetup:
routeHelpers.setupPageRoute( router, '/users', middleware, [middleware.checkGlobalPrivacySettings, middleware.requireUser], usersController.index);
and now I get the "Access denied" page that I wanted.
Thanks for the help.