update default limit of apikey number per user to one and disallow key deletion by default

src/routes/userRoutes.js

@@ -208,7 +208,8 @@ router.get('/profile', authenticateUser, async (req, res) => {
         totalUsage: user.totalUsage
       },
       config: {
-        maxApiKeysPerUser: config.userManagement.maxApiKeysPerUser
+        maxApiKeysPerUser: config.userManagement.maxApiKeysPerUser,
+        allowUserDeleteApiKeys: config.userManagement.allowUserDeleteApiKeys
       }
     })
   } catch (error) {
@@ -352,6 +353,15 @@ router.delete('/api-keys/:keyId', authenticateUser, async (req, res) => {
   try {
     const { keyId } = req.params
 
+    // 检查是否允许用户删除自己的API Keys
+    if (!config.userManagement.allowUserDeleteApiKeys) {
+      return res.status(403).json({
+        error: 'Operation not allowed',
+        message:
+          'Users are not allowed to delete their own API keys. Please contact an administrator.'
+      })
+    }
+
     // 检查API Key是否属于当前用户
     const existingKey = await apiKeyService.getApiKeyById(keyId)
     if (!existingKey || existingKey.userId !== req.user.id) {

src/services/userService.js

@@ -534,9 +534,15 @@ class UserService {
 
       // 构建匹配字符串数组（只考虑displayName、username、email，去除空值和重复值）
       const matchStrings = new Set()
-      if (displayName) matchStrings.add(displayName.toLowerCase().trim())
-      if (username) matchStrings.add(username.toLowerCase().trim())
-      if (email) matchStrings.add(email.toLowerCase().trim())
+      if (displayName) {
+        matchStrings.add(displayName.toLowerCase().trim())
+      }
+      if (username) {
+        matchStrings.add(username.toLowerCase().trim())
+      }
+      if (email) {
+        matchStrings.add(email.toLowerCase().trim())
+      }
 
       const matchingKeys = []