refactor(P0): JWT 认证、并发安全、错误日志三项安全加固

- 新增 JWT httpOnly cookie 认证链路 (jose)，登录/注册签发 token，
  所有用户和盲盒 API 改为从 cookie 提取 userId，不再信任客户端传值
- 新增 /api/auth/logout 端点清除认证 cookie
- GET /api/user 区分 owner/非 owner，非 owner 不暴露 email
- atomicUpdateRoom 新增 per-room 应用层互斥锁，防止 SQLite 下并发 lost update
- 修复 getRoomData 中 fire-and-forget delete 改为 await
- 37 个静默 catch 块跨 17 个文件添加 console.error 日志
- 新增 REFACTOR_PLAN.md 全景分析文档

src/app/api/blindbox/room/[code]/route.ts

@@ -1,7 +1,8 @@
 import { NextResponse } from "next/server";
 import { prisma } from "@/lib/prisma";
 import { getRoomByCode, requireMembership } from "@/lib/blindbox";
-import { apiHandler, ApiError, requireUserId } from "@/lib/api";
+import { apiHandler, ApiError } from "@/lib/api";
+import { getAuthUserId } from "@/lib/auth";
 
 export const GET = apiHandler(async (_req, { params }) => {
   const { code } = await params;
@@ -27,10 +28,9 @@ export const GET = apiHandler(async (_req, { params }) => {
 });
 
 export const PATCH = apiHandler(async (req, { params }) => {
+  const userId = await getAuthUserId(req);
   const { code } = await params;
-  const { userId, city, address, lat, lng } = await req.json();
-
-  requireUserId(userId);
+  const { city, address, lat, lng } = await req.json();
 
   const room = await prisma.blindBoxRoom.findUnique({
     where: { code: code.toUpperCase() },
@@ -67,10 +67,8 @@ export const PATCH = apiHandler(async (req, { params }) => {
 });
 
 export const DELETE = apiHandler(async (req, { params }) => {
+  const userId = await getAuthUserId(req);
   const { code } = await params;
-  const { userId } = await req.json();
-
-  requireUserId(userId);
 
   const room = await prisma.blindBoxRoom.findUnique({
     where: { code: code.toUpperCase() },