security: 隐私接口全面加固，统一 token 鉴权

- /api/orders/[id] 只返回 id/status/expiresAt，移除 user_name/pay_url 等隐私字段
- /api/orders/[id]/cancel 改为 token 鉴权，服务端验证用户身份后执行取消
- /api/orders (POST 响应) 过滤 userName/userBalance，不向客户端暴露
- /api/user 移除 username/email/balance，只返回 id/status 和 config
- /api/users/[id] 只返回 {id, exists}，不暴露任何隐私信息
- pay/page.tsx 恢复从服务端动态获取 config，无 token 时只显示用户 ID
- pay/orders/page.tsx 无 token 时不查询隐私接口，统一按钮样式
- PaymentQRCode 新增 token prop，无 token 时隐藏取消按钮
- 创建订单失败改为中文错误提示

src/app/api/orders/[id]/route.ts

@@ -1,6 +1,7 @@
 import { NextRequest, NextResponse } from 'next/server';
 import { prisma } from '@/lib/db';
 
+// 仅返回订单状态相关字段，不暴露任何用户隐私信息
 export async function GET(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
   const { id } = await params;
 
@@ -8,19 +9,8 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
     where: { id },
     select: {
       id: true,
-      userId: true,
-      userName: true,
-      amount: true,
       status: true,
-      paymentType: true,
-      payUrl: true,
-      qrCode: true,
-      qrCodeImg: true,
       expiresAt: true,
-      paidAt: true,
-      completedAt: true,
-      failedReason: true,
-      createdAt: true,
     },
   });
 
@@ -29,19 +19,8 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
   }
 
   return NextResponse.json({
-    order_id: order.id,
-    user_id: order.userId,
-    user_name: order.userName,
-    amount: Number(order.amount),
+    id: order.id,
     status: order.status,
-    payment_type: order.paymentType,
-    pay_url: order.payUrl,
-    qr_code: order.qrCode,
-    qr_code_img: order.qrCodeImg,
-    expires_at: order.expiresAt,
-    paid_at: order.paidAt,
-    completed_at: order.completedAt,
-    failed_reason: order.failedReason,
-    created_at: order.createdAt,
+    expiresAt: order.expiresAt,
   });
 }