fix: API 路由安全加固与架构优化 — 认证、错误处理、Registry 统一

- /api/user 添加 token 认证，防止用户枚举
- Admin token 支持 Authorization header
- /api/orders/my 区分认证失败和服务端错误
- Admin orders userId/date 参数校验
- Decimal 字段统一 Number() 转换
- 抽取 handleApiError/extractHeaders 工具函数
- Webhook 路由改用 Registry 获取 Provider
- PaymentRegistry lazy init 自动初始化

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

src/app/api/stripe/webhook/route.ts

@@ -1,21 +1,18 @@
 import { NextRequest, NextResponse } from 'next/server';
-import { initPaymentProviders, paymentRegistry } from '@/lib/payment';
+import { paymentRegistry } from '@/lib/payment';
 import type { PaymentType } from '@/lib/payment';
 import { handlePaymentNotify } from '@/lib/order/service';
+import { extractHeaders } from '@/lib/utils/api';
 
 // Stripe needs raw body - ensure Next.js doesn't parse it
 export const dynamic = 'force-dynamic';
 
 export async function POST(request: NextRequest): Promise<NextResponse> {
   try {
-    initPaymentProviders();
     const provider = paymentRegistry.getProvider('stripe' as PaymentType);
 
     const rawBody = Buffer.from(await request.arrayBuffer());
-    const headers: Record<string, string> = {};
-    request.headers.forEach((value, key) => {
-      headers[key.toLowerCase()] = value;
-    });
+    const headers = extractHeaders(request);
 
     const notification = await provider.verifyNotification(rawBody, headers);
     if (!notification) {