refactor: 提取 requireUserId/requireUser/requireMembership 校验工具

- 新增 requireUserId：统一 14 处 userId 非空校验，返回 401
- 新增 requireUser：统一 4 处用户存在性检查，返回 404
- validateMembership 升级为 requireMembership，直接抛 403
- 混合校验拆分为 auth(401) + 字段(400)，状态码更准确

src/app/api/blindbox/draw/route.ts

@@ -1,16 +1,15 @@
 import { NextResponse } from "next/server";
 import { prisma } from "@/lib/prisma";
-import { validateMembership } from "@/lib/blindbox";
-import { apiHandler, ApiError } from "@/lib/api";
+import { requireMembership } from "@/lib/blindbox";
+import { apiHandler, ApiError, requireUserId } from "@/lib/api";
 
 export const POST = apiHandler(async (req) => {
   const { roomId, userId } = await req.json();
 
-  if (!userId || typeof userId !== "string") throw new ApiError("请先登录", 401);
+  requireUserId(userId);
   if (!roomId || typeof roomId !== "string") throw new ApiError("roomId 不能为空");
 
-  const isMember = await validateMembership(roomId, userId);
-  if (!isMember) throw new ApiError("你不是这个房间的成员", 403);
+  await requireMembership(roomId, userId);
 
   const pool = await prisma.blindBoxIdea.findMany({
     where: { roomId, status: "in_pool" },