refactor: 提取 requireUserId/requireUser/requireMembership 校验工具

- 新增 requireUserId：统一 14 处 userId 非空校验，返回 401
- 新增 requireUser：统一 4 处用户存在性检查，返回 404
- validateMembership 升级为 requireMembership，直接抛 403
- 混合校验拆分为 auth(401) + 字段(400)，状态码更准确

src/app/api/blindbox/draw/route.ts

@@ -1,16 +1,15 @@
 import { NextResponse } from "next/server";
 import { prisma } from "@/lib/prisma";
-import { validateMembership } from "@/lib/blindbox";
-import { apiHandler, ApiError } from "@/lib/api";
+import { requireMembership } from "@/lib/blindbox";
+import { apiHandler, ApiError, requireUserId } from "@/lib/api";
 
 export const POST = apiHandler(async (req) => {
   const { roomId, userId } = await req.json();
 
-  if (!userId || typeof userId !== "string") throw new ApiError("请先登录", 401);
+  requireUserId(userId);
   if (!roomId || typeof roomId !== "string") throw new ApiError("roomId 不能为空");
 
-  const isMember = await validateMembership(roomId, userId);
-  if (!isMember) throw new ApiError("你不是这个房间的成员", 403);
+  await requireMembership(roomId, userId);
 
   const pool = await prisma.blindBoxIdea.findMany({
     where: { roomId, status: "in_pool" },

src/app/api/blindbox/room/[code]/route.ts

@@ -1,7 +1,7 @@
 import { NextResponse } from "next/server";
 import { prisma } from "@/lib/prisma";
 import { getRoomByCode } from "@/lib/blindbox";
-import { apiHandler, ApiError } from "@/lib/api";
+import { apiHandler, ApiError, requireUserId } from "@/lib/api";
 
 export const GET = apiHandler(async (_req, { params }) => {
   const { code } = await params;
@@ -26,7 +26,7 @@ export const DELETE = apiHandler(async (req, { params }) => {
   const { code } = await params;
   const { userId } = await req.json();
 
-  if (!userId) throw new ApiError("缺少用户 ID");
+  requireUserId(userId);
 
   const room = await prisma.blindBoxRoom.findUnique({
     where: { code: code.toUpperCase() },

src/app/api/blindbox/room/join/route.ts

@@ -1,11 +1,11 @@
 import { NextResponse } from "next/server";
 import { prisma } from "@/lib/prisma";
-import { apiHandler, ApiError } from "@/lib/api";
+import { apiHandler, ApiError, requireUserId } from "@/lib/api";
 
 export const POST = apiHandler(async (req) => {
   const { userId, code } = await req.json();
 
-  if (!userId || typeof userId !== "string") throw new ApiError("请先登录", 401);
+  requireUserId(userId);
   if (!code || typeof code !== "string") throw new ApiError("请输入房间号");
 
   const room = await prisma.blindBoxRoom.findUnique({

src/app/api/blindbox/room/route.ts

@@ -1,18 +1,17 @@
 import { NextResponse } from "next/server";
 import { prisma } from "@/lib/prisma";
 import { generateUniqueRoomCode } from "@/lib/blindbox";
-import { apiHandler, ApiError } from "@/lib/api";
+import { apiHandler, ApiError, requireUserId, requireUser } from "@/lib/api";
 
 export const POST = apiHandler(async (req) => {
   const { userId, name } = await req.json();
 
-  if (!userId || typeof userId !== "string") throw new ApiError("请先登录", 401);
+  requireUserId(userId);
 
   const roomName = (name || "").trim() || "我们的周末";
   if (roomName.length > 30) throw new ApiError("房间名不能超过 30 个字");
 
-  const user = await prisma.user.findUnique({ where: { id: userId } });
-  if (!user) throw new ApiError("用户不存在", 404);
+  await requireUser(userId);
 
   const code = await generateUniqueRoomCode();
 

src/app/api/blindbox/rooms/route.ts

@@ -1,10 +1,9 @@
 import { NextResponse } from "next/server";
 import { prisma } from "@/lib/prisma";
-import { apiHandler, ApiError } from "@/lib/api";
+import { apiHandler, requireUserId } from "@/lib/api";
 
 export const GET = apiHandler(async (req) => {
-  const userId = req.nextUrl.searchParams.get("userId");
-  if (!userId) throw new ApiError("请先登录", 401);
+  const userId = requireUserId(req.nextUrl.searchParams.get("userId"));
 
   const memberships = await prisma.blindBoxMember.findMany({
     where: { userId },

src/app/api/blindbox/route.ts

@@ -1,20 +1,19 @@
 import { NextResponse } from "next/server";
 import { prisma } from "@/lib/prisma";
-import { validateMembership } from "@/lib/blindbox";
-import { apiHandler, ApiError } from "@/lib/api";
+import { requireMembership } from "@/lib/blindbox";
+import { apiHandler, ApiError, requireUserId } from "@/lib/api";
 
 export const POST = apiHandler(async (req) => {
   const { roomId, userId, content } = await req.json();
 
-  if (!userId || typeof userId !== "string") throw new ApiError("请先登录", 401);
+  requireUserId(userId);
   if (!roomId || typeof roomId !== "string") throw new ApiError("roomId 不能为空");
   if (!content || typeof content !== "string" || content.trim().length === 0) {
     throw new ApiError("内容不能为空");
   }
   if (content.trim().length > 200) throw new ApiError("内容不能超过 200 字");
 
-  const isMember = await validateMembership(roomId, userId);
-  if (!isMember) throw new ApiError("你不是这个房间的成员", 403);
+  await requireMembership(roomId, userId);
 
   const idea = await prisma.blindBoxIdea.create({
     data: { roomId, userId, content: content.trim() },
@@ -25,13 +24,11 @@ export const POST = apiHandler(async (req) => {
 
 export const GET = apiHandler(async (req) => {
   const roomId = req.nextUrl.searchParams.get("roomId");
-  const userId = req.nextUrl.searchParams.get("userId");
+  const userId = requireUserId(req.nextUrl.searchParams.get("userId"));
 
   if (!roomId) throw new ApiError("缺少 roomId");
-  if (!userId) throw new ApiError("请先登录", 401);
 
-  const isMember = await validateMembership(roomId, userId);
-  if (!isMember) throw new ApiError("你不是这个房间的成员", 403);
+  await requireMembership(roomId, userId);
 
   const [poolCount, myIdeas, drawn] = await Promise.all([
     prisma.blindBoxIdea.count({
@@ -58,7 +55,7 @@ export const GET = apiHandler(async (req) => {
 export const PUT = apiHandler(async (req) => {
   const { ideaId, userId, content } = await req.json();
 
-  if (!userId) throw new ApiError("请先登录", 401);
+  requireUserId(userId);
   if (!ideaId) throw new ApiError("缺少 ideaId");
   if (!content || typeof content !== "string" || content.trim().length === 0) {
     throw new ApiError("内容不能为空");
@@ -81,7 +78,7 @@ export const PUT = apiHandler(async (req) => {
 export const DELETE = apiHandler(async (req) => {
   const { ideaId, userId } = await req.json();
 
-  if (!userId) throw new ApiError("请先登录", 401);
+  requireUserId(userId);
   if (!ideaId) throw new ApiError("缺少 ideaId");
 
   const idea = await prisma.blindBoxIdea.findUnique({ where: { id: ideaId } });

src/app/api/room/[id]/join/route.ts

@@ -1,13 +1,13 @@
 import { NextResponse } from "next/server";
 import { atomicUpdateRoom } from "@/lib/store";
 import { notify } from "@/lib/roomEvents";
-import { apiHandler, ApiError } from "@/lib/api";
+import { apiHandler, ApiError, requireUserId } from "@/lib/api";
 
 export const POST = apiHandler(async (req, { params }) => {
   const { id } = await params;
   const { userId } = await req.json();
 
-  if (!userId) throw new ApiError("userId required");
+  requireUserId(userId);
 
   const updated = await atomicUpdateRoom(id, (data) => {
     if (data.kickedUsers.includes(userId)) {

src/app/api/room/[id]/manage/route.ts

@@ -1,15 +1,14 @@
 import { NextResponse } from "next/server";
 import { atomicUpdateRoom } from "@/lib/store";
 import { notify } from "@/lib/roomEvents";
-import { apiHandler, ApiError } from "@/lib/api";
+import { apiHandler, ApiError, requireUserId } from "@/lib/api";
 
 export const POST = apiHandler(async (req, { params }) => {
   const { id } = await params;
   const { userId, action, targetUserId } = await req.json();
 
-  if (!userId || !action) {
-    throw new ApiError("userId and action required");
-  }
+  requireUserId(userId);
+  if (!action) throw new ApiError("action required");
 
   const updated = await atomicUpdateRoom(id, (data) => {
     if (data.creatorId !== userId) {

src/app/api/room/[id]/swipe/route.ts

@@ -1,14 +1,15 @@
 import { NextResponse } from "next/server";
 import { atomicUpdateRoom } from "@/lib/store";
 import { notify } from "@/lib/roomEvents";
-import { apiHandler, ApiError } from "@/lib/api";
+import { apiHandler, ApiError, requireUserId } from "@/lib/api";
 
 export const POST = apiHandler(async (req, { params }) => {
   const { id } = await params;
   const { userId, restaurantId, action } = await req.json();
 
-  if (!userId || restaurantId == null || !action) {
-    throw new ApiError("userId, restaurantId, and action are required");
+  requireUserId(userId);
+  if (restaurantId == null || !action) {
+    throw new ApiError("restaurantId and action are required");
   }
 
   const rid = String(restaurantId);

src/app/api/room/[id]/undo/route.ts

@@ -1,15 +1,14 @@
 import { NextResponse } from "next/server";
 import { atomicUpdateRoom } from "@/lib/store";
 import { notify } from "@/lib/roomEvents";
-import { apiHandler, ApiError } from "@/lib/api";
+import { apiHandler, ApiError, requireUserId } from "@/lib/api";
 
 export const POST = apiHandler(async (req, { params }) => {
   const { id } = await params;
   const { userId, restaurantId } = await req.json();
 
-  if (!userId || restaurantId == null) {
-    throw new ApiError("userId and restaurantId are required");
-  }
+  requireUserId(userId);
+  if (restaurantId == null) throw new ApiError("restaurantId is required");
 
   const rid = String(restaurantId);
 

src/app/api/user/favorite/route.ts

@@ -1,6 +1,6 @@
 import { NextResponse } from "next/server";
 import { prisma } from "@/lib/prisma";
-import { apiHandler, ApiError } from "@/lib/api";
+import { apiHandler, ApiError, requireUserId, requireUser } from "@/lib/api";
 
 export const GET = apiHandler(async (req) => {
   const userId = req.nextUrl.searchParams.get("userId");
@@ -24,10 +24,10 @@ export const GET = apiHandler(async (req) => {
 export const POST = apiHandler(async (req) => {
   const { userId, restaurant } = await req.json();
 
-  if (!userId || !restaurant) throw new ApiError("缺少必要字段");
+  requireUserId(userId);
+  if (!restaurant) throw new ApiError("缺少必要字段");
 
-  const user = await prisma.user.findUnique({ where: { id: userId } });
-  if (!user) throw new ApiError("请先设置个人资料", 404);
+  await requireUser(userId);
 
   const existing = await prisma.favorite.findFirst({
     where: {
@@ -53,7 +53,8 @@ export const POST = apiHandler(async (req) => {
 export const DELETE = apiHandler(async (req) => {
   const { userId, favoriteId } = await req.json();
 
-  if (!userId || !favoriteId) throw new ApiError("缺少必要字段");
+  requireUserId(userId);
+  if (!favoriteId) throw new ApiError("缺少必要字段");
 
   const fav = await prisma.favorite.findUnique({ where: { id: favoriteId } });
   if (!fav || fav.userId !== userId) throw new ApiError("收藏不存在", 404);

src/app/api/user/history/route.ts

@@ -1,6 +1,6 @@
 import { NextResponse } from "next/server";
 import { prisma } from "@/lib/prisma";
-import { apiHandler, ApiError } from "@/lib/api";
+import { apiHandler, ApiError, requireUserId, requireUser } from "@/lib/api";
 
 const MAX_HISTORY = 50;
 
@@ -31,12 +31,12 @@ export const POST = apiHandler(async (req) => {
   const { userId, roomId, restaurant, matchType, participants } =
     await req.json();
 
-  if (!userId || !roomId || !restaurant || !matchType) {
+  requireUserId(userId);
+  if (!roomId || !restaurant || !matchType) {
     throw new ApiError("缺少必要字段");
   }
 
-  const user = await prisma.user.findUnique({ where: { id: userId } });
-  if (!user) throw new ApiError("用户未注册", 404);
+  await requireUser(userId);
 
   const existing = await prisma.decision.findFirst({
     where: { userId, roomId },

src/app/api/user/route.ts

@@ -1,7 +1,7 @@
 import { NextResponse } from "next/server";
 import { prisma } from "@/lib/prisma";
 import bcrypt from "bcryptjs";
-import { apiHandler, ApiError } from "@/lib/api";
+import { apiHandler, ApiError, requireUserId, requireUser } from "@/lib/api";
 
 export const GET = apiHandler(async (req) => {
   const userId = req.nextUrl.searchParams.get("id");
@@ -27,10 +27,8 @@ export const PUT = apiHandler(async (req) => {
   const body = await req.json();
   const { userId } = body;
 
-  if (!userId) throw new ApiError("缺少用户 ID");
-
-  const existing = await prisma.user.findUnique({ where: { id: userId } });
-  if (!existing) throw new ApiError("用户不存在", 404);
+  requireUserId(userId);
+  const existing = await requireUser(userId);
 
   const updateData: Record<string, unknown> = {};
 

src/lib/api.ts

@@ -1,4 +1,5 @@
 import { NextRequest, NextResponse } from "next/server";
+import { prisma } from "@/lib/prisma";
 
 export class ApiError extends Error {
   constructor(
@@ -9,6 +10,21 @@ export class ApiError extends Error {
   }
 }
 
+/** Validates that value is a non-empty string; throws 401 otherwise. */
+export function requireUserId(value: unknown): string {
+  if (!value || typeof value !== "string") {
+    throw new ApiError("请先登录", 401);
+  }
+  return value;
+}
+
+/** Finds user by ID; throws 404 if not found. */
+export async function requireUser(userId: string) {
+  const user = await prisma.user.findUnique({ where: { id: userId } });
+  if (!user) throw new ApiError("用户不存在", 404);
+  return user;
+}
+
 type RouteContext = { params: Promise<Record<string, string>> };
 
 type RouteHandler = (

src/lib/blindbox.ts

@@ -1,4 +1,5 @@
 import { prisma } from "@/lib/prisma";
+import { ApiError } from "@/lib/api";
 
 export function generateRoomCode(): string {
   const chars = "ABCDEFGHJKLMNPQRSTUVWXYZ23456789";
@@ -18,11 +19,13 @@ export async function generateUniqueRoomCode(): Promise<string> {
   throw new Error("无法生成唯一房间号");
 }
 
-export async function validateMembership(roomId: string, userId: string) {
+/** Throws 403 if user is not a member of the room. */
+export async function requireMembership(roomId: string, userId: string) {
   const member = await prisma.blindBoxMember.findUnique({
     where: { roomId_userId: { roomId, userId } },
   });
-  return !!member;
+  if (!member) throw new ApiError("你不是这个房间的成员", 403);
+  return member;
 }
 
 export async function getRoomByCode(code: string) {