refactor(P0): JWT 认证、并发安全、错误日志三项安全加固

- 新增 JWT httpOnly cookie 认证链路 (jose)，登录/注册签发 token，
  所有用户和盲盒 API 改为从 cookie 提取 userId，不再信任客户端传值
- 新增 /api/auth/logout 端点清除认证 cookie
- GET /api/user 区分 owner/非 owner，非 owner 不暴露 email
- atomicUpdateRoom 新增 per-room 应用层互斥锁，防止 SQLite 下并发 lost update
- 修复 getRoomData 中 fire-and-forget delete 改为 await
- 37 个静默 catch 块跨 17 个文件添加 console.error 日志
- 新增 REFACTOR_PLAN.md 全景分析文档

src/app/api/user/achievements/route.ts

@@ -1,20 +1,20 @@
 import { NextResponse } from "next/server";
 import { prisma } from "@/lib/prisma";
-import { apiHandler, requireUserId } from "@/lib/api";
+import { apiHandler } from "@/lib/api";
+import { getAuthUserId } from "@/lib/auth";
 
 export const GET = apiHandler(async (req) => {
-  const userId = req.nextUrl.searchParams.get("userId");
-  requireUserId(userId);
+  const userId = await getAuthUserId(req);
 
   const [decisions, contracts] = await Promise.all([
     prisma.decision.findMany({
-      where: { userId: userId! },
+      where: { userId },
       orderBy: { createdAt: "desc" },
       take: 50,
     }),
     prisma.weekendPlan.findMany({
       where: {
-        userId: userId!,
+        userId,
         status: { in: ["completed", "expired"] },
       },
       orderBy: { createdAt: "desc" },

src/app/api/user/favorite/route.ts

@@ -1,11 +1,11 @@
 import { NextResponse } from "next/server";
 import { prisma } from "@/lib/prisma";
 import { Prisma } from "@prisma/client";
-import { apiHandler, ApiError, requireUserId, requireUser } from "@/lib/api";
+import { apiHandler, ApiError, requireUser } from "@/lib/api";
+import { getAuthUserId } from "@/lib/auth";
 
 export const GET = apiHandler(async (req) => {
-  const userId = req.nextUrl.searchParams.get("userId");
-  if (!userId) return NextResponse.json([]);
+  const userId = await getAuthUserId(req);
 
   const favorites = await prisma.favorite.findMany({
     where: { userId },
@@ -23,9 +23,9 @@ export const GET = apiHandler(async (req) => {
 });
 
 export const POST = apiHandler(async (req) => {
-  const { userId, restaurant } = await req.json();
+  const userId = await getAuthUserId(req);
+  const { restaurant } = await req.json();
 
-  requireUserId(userId);
   if (!restaurant?.id || typeof restaurant.id !== "string") {
     throw new ApiError("缺少必要字段");
   }
@@ -53,9 +53,9 @@ export const POST = apiHandler(async (req) => {
 });
 
 export const DELETE = apiHandler(async (req) => {
-  const { userId, favoriteId } = await req.json();
+  const userId = await getAuthUserId(req);
+  const { favoriteId } = await req.json();
 
-  requireUserId(userId);
   if (!favoriteId) throw new ApiError("缺少必要字段");
 
   const fav = await prisma.favorite.findUnique({ where: { id: favoriteId } });

src/app/api/user/history/route.ts

@@ -1,12 +1,12 @@
 import { NextResponse } from "next/server";
 import { prisma } from "@/lib/prisma";
-import { apiHandler, ApiError, requireUserId, requireUser } from "@/lib/api";
+import { apiHandler, ApiError, requireUser } from "@/lib/api";
+import { getAuthUserId } from "@/lib/auth";
 
 const MAX_HISTORY = 50;
 
 export const GET = apiHandler(async (req) => {
-  const userId = req.nextUrl.searchParams.get("userId");
-  if (!userId) return NextResponse.json([]);
+  const userId = await getAuthUserId(req);
 
   const decisions = await prisma.decision.findMany({
     where: { userId },
@@ -28,10 +28,9 @@ export const GET = apiHandler(async (req) => {
 });
 
 export const POST = apiHandler(async (req) => {
-  const { userId, roomId, restaurant, matchType, participants } =
-    await req.json();
+  const userId = await getAuthUserId(req);
+  const { roomId, restaurant, matchType, participants } = await req.json();
 
-  requireUserId(userId);
   if (!roomId || !restaurant || !matchType) {
     throw new ApiError("缺少必要字段");
   }

src/app/api/user/route.ts

@@ -2,17 +2,29 @@ import { NextResponse } from "next/server";
 import { prisma } from "@/lib/prisma";
 import { Prisma } from "@prisma/client";
 import bcrypt from "bcryptjs";
-import { apiHandler, ApiError, requireUserId, requireUser } from "@/lib/api";
+import { apiHandler, ApiError, requireUser } from "@/lib/api";
 import { validateUsername, validatePassword, validateEmail } from "@/lib/validation";
+import { getAuthUserId } from "@/lib/auth";
 
 export const GET = apiHandler(async (req) => {
-  const userId = req.nextUrl.searchParams.get("id");
-  if (!userId) return NextResponse.json(null);
+  // GET still allows querying by id param (for public profile viewing)
+  // but sensitive fields are only shown to the owner
+  const queryId = req.nextUrl.searchParams.get("id");
+  if (!queryId) return NextResponse.json(null);
 
-  const user = await prisma.user.findUnique({ where: { id: userId } });
+  const user = await prisma.user.findUnique({ where: { id: queryId } });
   if (!user) return NextResponse.json(null);
 
-  const decisionCount = await prisma.decision.count({ where: { userId } });
+  const decisionCount = await prisma.decision.count({ where: { userId: queryId } });
+
+  // Check if the requester is the profile owner
+  let isOwner = false;
+  try {
+    const authId = await getAuthUserId(req);
+    isOwner = authId === queryId;
+  } catch {
+    // Not logged in — show public profile only
+  }
 
   let preferences = {};
   try { preferences = JSON.parse(user.preferences); } catch { /* fallback */ }
@@ -21,18 +33,17 @@ export const GET = apiHandler(async (req) => {
     id: user.id,
     username: user.username,
     avatar: user.avatar,
-    email: user.email,
-    preferences,
+    email: isOwner ? user.email : undefined,
+    preferences: isOwner ? preferences : undefined,
     createdAt: user.createdAt.toISOString(),
     decisionCount,
   });
 });
 
 export const PUT = apiHandler(async (req) => {
+  const userId = await getAuthUserId(req);
   const body = await req.json();
-  const { userId } = body;
 
-  requireUserId(userId);
   const existing = await requireUser(userId);
 
   const updateData: Record<string, unknown> = {};