feat: Add password-based authentication for broadcasters and restrict WebRTC offers to authenticated users.

server.js

@@ -5,13 +5,22 @@ const server = http.createServer(app);
 const { Server } = require("socket.io");
 const io = new Server(server);
 
+// Password setting via environment variable, defaulting to "secret"
+const BROADCASTER_PASSWORD = process.env.BROADCASTER_PASSWORD;
+let broadcasterSocketId = null;
+
 app.use(express.static("public"));
 
 io.on("connection", (socket) => {
   console.log("a user connected:", socket.id);
 
   // When the broadcaster starts sharing
-  socket.on("broadcaster", () => {
+  socket.on("broadcaster", (password) => {
+    if (password !== BROADCASTER_PASSWORD) {
+      socket.emit("authError", "Invalid broadcaster password.");
+      return;
+    }
+    broadcasterSocketId = socket.id;
     socket.broadcast.emit("broadcaster");
   });
 
@@ -22,6 +31,7 @@ io.on("connection", (socket) => {
 
   // WebRTC Signaling
   socket.on("offer", (id, message) => {
+    if (socket.id !== broadcasterSocketId) return; // Prevent hijacking
     socket.to(id).emit("offer", socket.id, message);
   });