security: enforce room socket membership

[saurabhhhcodes]

📌 Description

• Type: Security / Bug Fix / Tests
• Summary: Server-side room authorization now tracks room members and host identity instead of trusting client-supplied roomId/guestId payloads. Guests can only join the room encoded in their token, room messages require membership, guest removal requires the room host, and Pomodoro room control is also host-gated.

🔗 Related Issues

• Closes Room socket events do not enforce room membership or host permissions #193

✅ Checklist

• Code compiles and runs clean
• Added/Updated documentation
• Added/Updated tests
• Linted and formatted code
• Related issue linked
• No sensitive data added

📸 Screenshots (if applicable)

Not applicable; backend socket authorization change.

💬 Notes for Reviewers

This keeps the frontend event payloads unchanged and rejects unauthorized socket events with a roomError event, so clients can add UI handling without changing the security boundary.

🧪 How to Test This PR

cd backend
npm install --ignore-scripts
npm test -- roomSocketAuth.test.js
npm test
cd ..
node --check backend/server.js
node --check backend/tests/roomSocketAuth.test.js
git diff --check

Local result: backend suite passed with 14 test files and 77 tests.

📦 Tech Stack

• Node.js
• Express
• MongoDB
• Socket.IO
• Next.js

[vercel]

Someone is attempting to deploy a commit to the Sameer's projects Team on Vercel.

A member of the Team first needs to authorize it.