fix: prevent bypassing event check-in via page refresh

Users could gain unauthorized access to event chats by refreshing the page after leaving an event. The socket handler was automatically creating participation records when users joined rooms, completely bypassing the QR code check-in requirement. This fix verifies that users have legitimately checked in before allowing socket room access.

backend/src/socket/index.js

@@ -69,26 +69,27 @@ function initializeSocket(httpServer) {
 
         const eventId = event.id;
         const roomName = `event_${eventId}`;
-        socket.join(roomName);
-        socket.currentEventRoom = roomName;
-        socket.currentEventId = eventId;
-        socket.currentEventSlug = slug;
 
-        // Record event participation in database
-        await prisma.eventParticipant.upsert({
+        // Verify that user has checked in to this event
+        const participant = await prisma.eventParticipant.findUnique({
           where: {
             userId_eventId: {
               userId: socket.user.id,
               eventId: eventId,
             },
           },
-          update: {}, // Don't update anything if already exists
-          create: {
-            userId: socket.user.id,
-            eventId: eventId,
-          },
         });
 
+        if (!participant) {
+          socket.emit('error', { message: 'You must check in to this event first' });
+          return;
+        }
+
+        socket.join(roomName);
+        socket.currentEventRoom = roomName;
+        socket.currentEventId = eventId;
+        socket.currentEventSlug = slug;
+
         // Add user to active users
         if (!activeUsers.has(eventId)) {
           activeUsers.set(eventId, new Set());