Allow the admin JWT middleware to parse either Authorization: Bearer <jwt> or a bare JWT value, matching the existing comment. Add tests covering both accepted forms plus missing and empty authorization headers.