fix: 服务端验证强化 — 房间ID/坐标/swipe/盲盒竞态/空格

- #15: 房间 ID 扩展为 6 位字母数字，createRoom 用 P2002 重试替代 find-then-create
- #16: 盲盒编辑/删除改用 updateMany/deleteMany 原子操作，防止 TOCTOU
- #17: lat/lng 用 Number.isFinite + 范围校验 (-90~90, -180~180)
- #18: swipe action 必须为 'like' 或 'pass'
- #19: user PUT 的 JSON.parse(preferences) 加 try/catch
- #26: requireString 拒绝纯空格字符串

src/app/api/room/[id]/swipe/route.ts

@@ -11,6 +11,9 @@ export const POST = apiHandler(async (req, { params }) => {
   if (restaurantId == null || !action) {
     throw new ApiError("restaurantId and action are required");
   }
+  if (action !== "like" && action !== "pass") {
+    throw new ApiError("action must be 'like' or 'pass'");
+  }
 
   const rid = String(restaurantId);
 

src/app/api/room/create/route.ts

@@ -117,7 +117,10 @@ export const POST = apiHandler(async (req) => {
 
   const sceneConfig = getSceneConfig(scene === "drink" ? "drink" : "eat");
 
-  if (!lat || !lng) {
+  const numLat = Number(lat);
+  const numLng = Number(lng);
+  if (!Number.isFinite(numLat) || !Number.isFinite(numLng) ||
+      numLat < -90 || numLat > 90 || numLng < -180 || numLng > 180) {
     throw new ApiError("无法获取位置信息，请允许定位权限后重试");
   }
 
@@ -125,7 +128,7 @@ export const POST = apiHandler(async (req) => {
 
   const url = new URL("https://restapi.amap.com/v5/place/around");
   url.searchParams.set("key", apiKey);
-  url.searchParams.set("location", `${lng},${lat}`);
+  url.searchParams.set("location", `${numLng},${numLat}`);
   url.searchParams.set("radius", String(radius));
   url.searchParams.set("types", sceneConfig.poiTypes);
   url.searchParams.set("show_fields", "business,photos");