refactor: improve security, split routes, add API resources and FormRequests

- Fix timing attack vulnerability in AuthController
- Split web.php (316 lines) into 7 focused route files
- Add 8 API Resources for consistent response formatting
- Add 8 FormRequest classes for centralized validation
- Use Resources instead of manual array mapping in controllers

routes/shop.php

@@ -0,0 +1,20 @@
+<?php
+
+use App\Http\Controllers\Shop\PayPalController;
+use App\Http\Controllers\Shop\ShopController;
+use App\Http\Controllers\Shop\ShopVoucherController;
+use Illuminate\Support\Facades\Route;
+
+// Shop routes
+Route::prefix('shop')->group(function () {
+    Route::get('/{category:slug?}', ShopController::class)->name('shop.index')->withoutMiddleware('auth');
+    Route::post('/purchase/{package}', [ShopController::class, 'purchase'])->name('shop.buy')->middleware('throttle:10,1');
+    Route::post('/voucher', ShopVoucherController::class)->name('shop.use-voucher')->middleware('throttle:10,1');
+});
+
+// PayPal routes
+Route::controller(PayPalController::class)->prefix('paypal')->group(function () {
+    Route::get('/process-transaction', 'process')->name('paypal.process-transaction');
+    Route::get('/successful-transaction', 'successful')->name('paypal.successful-transaction');
+    Route::get('/cancelled-transaction', 'cancelled')->name('paypal.cancelled-transaction');
+});