Implement security features

[scherzma]

There are still security-features to implement:

General Security Considerations: Verify the sender's identity for all incoming messages.

Operation-Specific Security Considerations: SEND_MESSAGE:

• Ensure that the sender is a member of the chat (has joined and not left).

SYNC_REQUEST:

• Verify that the sync request is for a specific chat.
• Confirm that the sender is a member of the specified chat.

SYNC_RESPONSE:

• Verify each message in the response to ensure it originates from the expected sender. This prevents unauthorized control over the chat.

JOIN_CHAT:

• Require that the user has been invited to the chat before allowing them to join.

LEAVE_CHAT:

• Prevent a user who has left a chat from rejoining until a new invitation is extended.

INVITE_TO_CHAT:

• No specific security considerations identified.

SEND_FILE:

• Confirm that the sender is a member of the chat.

SET_USERNAME:

• Associate the username with a specific chat.
• Include a portion of the user's public key in the username to prevent identity theft.
• Consider maintaining a username history for transparency and accountability.

[JavaHammes]

Shouldn't we also introduce some kind of access control? So that not everyone can connect to our websockets? This access control should then also take place before someone has connected to the websocket, i.e. be made in the header of the request, so to speak. I was thinking of something like X-Auth-Token, but I'm not sure yet.