refactor: improve security, split routes, add API resources and FormRequests

- Fix timing attack vulnerability in AuthController
- Split web.php (316 lines) into 7 focused route files
- Add 8 API Resources for consistent response formatting
- Add 8 FormRequest classes for centralized validation
- Use Resources instead of manual array mapping in controllers

routes/community.php

@@ -0,0 +1,84 @@
+<?php
+
+use App\Http\Controllers\Articles\ArticleController;
+use App\Http\Controllers\Articles\WebsiteArticleCommentsController;
+use App\Http\Controllers\Badge\BadgeController;
+use App\Http\Controllers\Community\LeaderboardController;
+use App\Http\Controllers\Community\PhotosController;
+use App\Http\Controllers\Community\RadioController;
+use App\Http\Controllers\Community\RadioLeaderboardController;
+use App\Http\Controllers\Community\Staff\StaffApplicationsController;
+use App\Http\Controllers\Community\Staff\StaffController;
+use App\Http\Controllers\Community\Staff\WebsiteTeamApplicationsController;
+use App\Http\Controllers\Community\Staff\WebsiteTeamsController;
+use App\Http\Controllers\Community\WebsiteRareValuesController;
+use App\Http\Controllers\RadioContestController;
+use App\Http\Controllers\RadioGiveawayController;
+use App\Http\Controllers\RadioSongRequestController;
+use Illuminate\Support\Facades\Route;
+
+// Community routes
+Route::prefix('community')->group(function () {
+    // Public routes
+    Route::withoutMiddleware('auth')->group(function () {
+        Route::get('/photos', PhotosController::class)->name('photos.index');
+        Route::get('/staff', StaffController::class)->name('staff.index');
+        Route::get('/articles', [ArticleController::class, 'index'])->name('article.index');
+        Route::get('/article/{article:slug}', [ArticleController::class, 'show'])->name('article.show');
+
+        Route::prefix('radio')->group(function () {
+            Route::get('/', [RadioController::class, 'index'])->name('radio.index');
+            Route::get('/rooster', [RadioController::class, 'rooster'])->name('radio.rooster');
+            Route::get('/punten', RadioLeaderboardController::class)->name('radio.leaderboard');
+        });
+    });
+
+    // Authenticated radio routes
+    Route::prefix('radio')->group(function () {
+        Route::get('/shouts', [RadioController::class, 'shouts'])->name('radio.shouts');
+        Route::get('/dj-aanmelden', [RadioController::class, 'apply'])->name('radio.apply');
+        Route::post('/dj-aanmelden', [RadioController::class, 'storeApplication'])->name('radio.apply.store');
+        Route::post('/shouts', [RadioController::class, 'storeShout'])->name('radio.shouts.store');
+        Route::post('/session/start', [RadioController::class, 'startSession'])->name('radio.session.start');
+        Route::post('/session/end', [RadioController::class, 'endSession'])->name('radio.session.end');
+
+        Route::get('/requests', [RadioSongRequestController::class, 'index'])->name('radio.requests.index');
+        Route::post('/requests', [RadioSongRequestController::class, 'store'])->name('radio.requests.store');
+        Route::post('/requests/{songRequest}/vote', [RadioSongRequestController::class, 'vote'])->name('radio.requests.vote');
+
+        Route::get('/contests', [RadioContestController::class, 'index'])->name('radio.contests.index');
+        Route::get('/contests/{contest}', [RadioContestController::class, 'show'])->name('radio.contests.show');
+
+        Route::get('/giveaways', [RadioGiveawayController::class, 'index'])->name('radio.giveaways.index');
+        Route::get('/giveaways/{giveaway}', [RadioGiveawayController::class, 'show'])->name('radio.giveaways.show');
+    });
+
+    Route::get('/teams', WebsiteTeamsController::class)->name('teams.index');
+    Route::get('/draw-badge', [BadgeController::class, 'show'])->name('draw-badge');
+    Route::post('/draw-badge/buy', [BadgeController::class, 'buy'])->name('badge.buy')->middleware('throttle:10,1');
+
+    Route::get('/staff-applications', [StaffApplicationsController::class, 'index'])->name('staff-applications.index');
+    Route::get('/staff-applications/{position}', [StaffApplicationsController::class, 'show'])->name('staff-applications.show');
+    Route::post('/staff-applications/{position}', [StaffApplicationsController::class, 'store'])->name('staff-applications.store');
+
+    Route::get('/team-applications', [WebsiteTeamApplicationsController::class, 'index'])->name('team-applications.index');
+    Route::get('/team-applications/{position}', [WebsiteTeamApplicationsController::class, 'show'])->name('team-applications.show');
+    Route::post('/team-applications/{position}', [WebsiteTeamApplicationsController::class, 'store'])->name('team-applications.store');
+
+    Route::post('/article/{article:slug}/comment', [WebsiteArticleCommentsController::class, 'store'])->name('article.comment.store');
+    Route::delete('/article/{comment}/comment', [WebsiteArticleCommentsController::class, 'destroy'])->name('article.comment.destroy');
+    Route::post('/article/{article:slug}/toggle-reaction', [ArticleController::class, 'toggleReaction'])
+        ->name('article.toggle-reaction')
+        ->middleware('throttle:100,1');
+});
+
+// Leaderboard (public)
+Route::withoutMiddleware('auth')->group(function () {
+    Route::get('/leaderboard', LeaderboardController::class)->name('leaderboard.index');
+});
+
+// Rare values
+Route::get('/values', [WebsiteRareValuesController::class, 'index'])->name('values.index');
+Route::post('/values/search', [WebsiteRareValuesController::class, 'search'])->name('values.search');
+Route::get('/values/category/{id}', [WebsiteRareValuesController::class, 'category'])->name('values.category');
+Route::get('/values/{value}', [WebsiteRareValuesController::class, 'value'])->name('values.value');