fix: accept EOA-subject admin keys in legacy VerifyJwtKeyForUser

GetKey (the API key exchange handler used by SDK authWithAPIKey) calls
VerifyJwtKeyForUser, which had two bugs that combined to reject every
key generated by the modern create-api-key CLI:

1. It only treated the literal string "apikey" as an admin subject,
   but PR #509 changed CreateAdminKey to require an EOA address as
   the JWT subject — so admin keys never matched the role-based path.
2. For EOA-subject JWTs, even when claimAddress == userWallet, the
   function fell through to "Malform JWT Key Claim" because the
   address-match branch was missing a `return true, nil`.

Add an EOA-subject branch that mirrors the modern verifyAuth contract:
admin-role keys may manage any wallet; non-admin keys are valid only
when subject == userWallet.

Discovered while debugging AvaProtocol/ava-sdk-js#209 CI failures.

Author: weilicious

core/auth/user.go

@@ -85,10 +85,25 @@ func VerifyJwtKeyForUser(secret []byte, key string, userWallet common.Address) (
 			return true, nil
 		}
 
+		// EOA-subject JWTs (issued by `create-api-key` since #509). Two valid cases:
+		//   1. The JWT carries an admin role → it can manage any wallet.
+		//   2. The JWT subject equals the requesting userWallet → per-wallet key.
 		claimAddress := common.HexToAddress(sub)
+
+		if rolesVal, hasRoles := claims["roles"]; hasRoles {
+			if rolesArray, ok := rolesVal.([]any); ok {
+				for _, v := range rolesArray {
+					if roleStr, ok := v.(string); ok && ApiRole(roleStr) == "admin" {
+						return true, nil
+					}
+				}
+			}
+		}
+
 		if claimAddress != userWallet {
 			return false, fmt.Errorf("Invalid Subject")
 		}
+		return true, nil
 	}
 
 	return false, fmt.Errorf("Malform JWT Key Claim")