fix: disable user API keys when user account is disabled

Security enhancement to prevent disabled users from using API keys:

- Auto-disable all API keys when user is disabled/deleted
- Add user status validation during API key authentication
- Prevent API usage even if key is active but user is disabled
- Add comprehensive logging for security audit trail

This ensures disabled users cannot bypass restrictions through
existing API keys and maintains system security integrity.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

src/services/apiKeyService.js

@@ -126,6 +126,20 @@ class ApiKeyService {
         return { valid: false, error: 'API key has expired' }
       }
 
+      // 如果API Key属于某个用户，检查用户是否被禁用
+      if (keyData.userId) {
+        try {
+          const userService = require('./userService')
+          const user = await userService.getUserById(keyData.userId, false)
+          if (!user || !user.isActive) {
+            return { valid: false, error: 'User account is disabled' }
+          }
+        } catch (error) {
+          logger.error('❌ Error checking user status during API key validation:', error)
+          return { valid: false, error: 'Unable to validate user status' }
+        }
+      }
+
       // 获取使用统计（供返回数据使用）
       const usage = await redis.getUsageStats(keyData.id)