refactor(P0): JWT 认证、并发安全、错误日志三项安全加固

- 新增 JWT httpOnly cookie 认证链路 (jose)，登录/注册签发 token，
  所有用户和盲盒 API 改为从 cookie 提取 userId，不再信任客户端传值
- 新增 /api/auth/logout 端点清除认证 cookie
- GET /api/user 区分 owner/非 owner，非 owner 不暴露 email
- atomicUpdateRoom 新增 per-room 应用层互斥锁，防止 SQLite 下并发 lost update
- 修复 getRoomData 中 fire-and-forget delete 改为 await
- 37 个静默 catch 块跨 17 个文件添加 console.error 日志
- 新增 REFACTOR_PLAN.md 全景分析文档

src/app/api/auth/register/route.ts

@@ -4,6 +4,7 @@ import { Prisma } from "@prisma/client";
 import bcrypt from "bcryptjs";
 import { apiHandler, ApiError } from "@/lib/api";
 import { validateUsername, validatePassword } from "@/lib/validation";
+import { signToken, setAuthCookie } from "@/lib/auth";
 
 export const POST = apiHandler(async (req) => {
   const { username, password, avatar } = await req.json();
@@ -24,11 +25,14 @@ export const POST = apiHandler(async (req) => {
       },
     });
 
-    return NextResponse.json({
+    const token = await signToken(user.id);
+    const res = NextResponse.json({
       id: user.id,
       username: user.username,
       avatar: user.avatar,
     });
+
+    return setAuthCookie(res, token);
   } catch (e) {
     if (e instanceof Prisma.PrismaClientKnownRequestError && e.code === "P2002") {
       throw new ApiError("用户名已被注册", 409);