refactor: 提取 requireUserId/requireUser/requireMembership 校验工具

- 新增 requireUserId：统一 14 处 userId 非空校验，返回 401
- 新增 requireUser：统一 4 处用户存在性检查，返回 404
- validateMembership 升级为 requireMembership，直接抛 403
- 混合校验拆分为 auth(401) + 字段(400)，状态码更准确

src/lib/api.ts

@@ -1,4 +1,5 @@
 import { NextRequest, NextResponse } from "next/server";
+import { prisma } from "@/lib/prisma";
 
 export class ApiError extends Error {
   constructor(
@@ -9,6 +10,21 @@ export class ApiError extends Error {
   }
 }
 
+/** Validates that value is a non-empty string; throws 401 otherwise. */
+export function requireUserId(value: unknown): string {
+  if (!value || typeof value !== "string") {
+    throw new ApiError("请先登录", 401);
+  }
+  return value;
+}
+
+/** Finds user by ID; throws 404 if not found. */
+export async function requireUser(userId: string) {
+  const user = await prisma.user.findUnique({ where: { id: userId } });
+  if (!user) throw new ApiError("用户不存在", 404);
+  return user;
+}
+
 type RouteContext = { params: Promise<Record<string, string>> };
 
 type RouteHandler = (