feat: Harden Realtime Event Authorization with JWT and Centralized Guard

[bytebinders]

What was done:

• Implemented a centralized RealtimeAuth guard in backend/src/realtime/auth.rs to authorize channel subscriptions.
• Updated ws_handler in backend/src/realtime/user_ws.rs to require and validate a JWT access token before upgrading the connection.
• Added Subscribe, Unsubscribe, and Publish variants to ClientMessage in backend/src/realtime/events.rs.
• Enhanced SessionRegistry to track explicit channel subscriptions for authorized event routing.
• Updated WsBroadcaster to route match events only to authorized subscribers.
• Integrated JwtService and RealtimeAuth into the main application infrastructure in main.rs.

Why it was done:

To prevent unauthorized users from subscribing to private event streams (user-scoped or match-scoped) and to enforce strict token-based identity verification for all real-time connections. This hardens the security of the ArenaX gaming platform's real-time communication layer.

How it was verified:

• Unit Tests: Added backend/tests/realtime_auth_test.rs to verify authorization logic for user and match channels.
• Integration Tests: Added backend/tests/realtime_auth_integration_test.rs to verify that the WebSocket upgrade requires a valid JWT.

Closes #163

[vercel]

Someone is attempting to deploy a commit to the paul joseph's projects Team on Vercel.

A member of the Team first needs to authorize it.

[drips-wave]

@bytebinders Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

[bytebinders]

Hi @anonfedora,

I noticed the Vercel check is currently failing due to deployment authorization. The changes themselves should be independent of deployment, but please let me know if any adjustments are needed from my side.

Happy to make updates if required. Thanks!