fix(payments): harden payment flow with idempotency keys, amount validation, and magic byte file validation

- Add dedicated idempotencyKey column with unique constraint (userId, provider, idempotencyKey) to prevent duplicate payments at DB level
- Add @Min(1) @Max(100B) validators on amountVND in CreatePaymentDto to reject invalid amounts at API boundary
- Replace read-check-write callback handler with atomic updateIfStatus to eliminate race condition on concurrent callbacks
- Add magic byte verification in FileValidationPipe to validate file content matches declared MIME type server-side

Co-Authored-By: Paperclip <noreply@paperclip.ing>

apps/api/src/modules/payments/presentation/controllers/payments.controller.ts

@@ -62,7 +62,7 @@ export class PaymentsController {
         user.sub,
         dto.provider,
         dto.type,
-        dto.amountVND,
+        BigInt(dto.amountVND),
         dto.description,
         dto.returnUrl,
         ip || '127.0.0.1',