Ideate

CRITICAL security vulnerabilities identified: 1. **Hardcoded JWT Secret:** `JWT_SECRET` has a hardcoded fallback value of "randomPhoenixSecret" which is highly insecure and makes all JWTs easily forgeable if used in production. 2. **Hardcoded Authentication Bypass (WebSockets):** The `ws-backend` explicitly allows connections with `token === "123abcd"` and assigns a fixed `userId`. This bypasses all authentication, allowing unauthorized access to the WebSocket server with a privileged user ID. 3. **Unauthenticated Room Access (HTTP Backend):** The `/api/v1/room/chat/:slug` endpoint (used by the frontend to fetch room details) does not require any authentication, allowing anyone to query room information by slug. 4. **Client-side hardcoded token:** The `useSocket` hook in the frontend (`apps/web/hooks/useSockets.ts`) explicitly sends `?token=123abcd` to the WebSocket server, relying on the hardcoded bypass. This means client-side 'authentication' for WebSockets is completely broken. 5. **Missing Input Validation:** `ws-backend`'s `TODO` notes indicate missing message validation, which could lead to XSS or other injection attacks if the frontend doesn't adequately sanitize inputs. 6. **No Rate Limiting:** `ws-backend`'s `TODO` notes mention no rate limiting, making the WebSocket server vulnerable to Denial of Service attacks. 7. **Global User State:** The `ws-backend` uses an in-memory global array (`users: User[]`) to track connected users, which is not scalable or fault-tolerant for a production environment (also noted as a `TODO`). These severe issues make the application highly insecure and unsafe to run in any non-isolated, non-testing environment.