Add WebSocket authentication guard to CollaborationGateway using JWT validation

[RUKAYAT-CODER]

Overview

src/collaboration/collaboration.gateway.ts has @WebSocketGateway with no guards applied. Any WebSocket client that can reach the server can join any collaboration session by knowing the session ID, without any identity or authorization check. This is effectively unauthenticated write access to shared document state.

Specifications

Features:

• Validate a JWT passed in the WebSocket handshake query string or Authorization header before the connection is accepted.
• Reject connections with invalid or missing tokens.

Tasks:

• Create WsJwtAuthGuard that reads socket.handshake.auth.token or query ?token=.
• Verify the JWT using the same JwtService used for REST routes.
• Apply the guard via @UseGuards(WsJwtAuthGuard) on the gateway class.
• Store the verified user in socket.data.user for downstream use.
• Add integration tests for rejected and accepted WebSocket connections.

Impacted Files:

• src/collaboration/collaboration.gateway.ts
• New src/collaboration/guards/ws-jwt-auth.guard.ts

Acceptance Criteria

• WebSocket connection without valid JWT is rejected during handshake.
• Authenticated user identity is available in all message handlers via socket.data.user.
• Integration test covers both anonymous and authenticated connection scenarios.

[chidumebiodoh123-cloud]

@chidumebiodoh123-cloud has applied to work on this issue as part of the Stellar Wave Program's 6th wave.

I have experience and I have reviewed the code. I will implement a WebSocket JWT authentication guard for the CollaborationGateway. Scope: Create WsJwtAuthGuard, validate JWTs from the handshake/auth query using the existing JwtService, apply the guard to the gateway, and attach the authenticated user to socket.data.user. Plan: Reject invalid or missing tokens during the handshake, reuse the existing authentication flow, add integration tests for authenticated and anonymous connections, and verify all acceptance criteria. Will ensure secure WebSocket authentication, clean integration, and full acceptance criteria coverage.

ℹ️ Repo Maintainers: To accept this application, review their application or assign @chidumebiodoh123-cloud to this issue.

[Nimatstar]

@Nimatstar has applied to work on this issue as part of the Stellar Wave Program's 6th wave.

Hi am a full stack developer, i have read through the description and clearly understood. kindly assign

ℹ️ Repo Maintainers: To accept this application, review their application or assign @Nimatstar to this issue.

[drips-wave]

Congratulations, @Nimatstar! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on June 30, 2026.

🧑‍💻 @Nimatstar: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊