[API] Harden match events gateway authentication and message validation

[Flegma]

Summary

The match events WebSocket gateway needs stronger authentication checks and message validation to prevent unauthorized or malformed data from being processed.

Tasks

• Strengthen authentication verification on WebSocket connections
• Add server identity validation for incoming events
• Implement runtime message schema validation
• Add message size limits to prevent resource exhaustion

Impact

Could allow unauthorized data to be processed through the gateway.

Details

Full details in internal audit document. Finding IDs: SEC-API-02, SEC-API-03, WS-API-01, WS-API-02

---

Related Issues (Input Validation Pattern)

• [API] Harden match events gateway authentication and message validation #371 — [API] Harden match events gateway validation
• [Connector] Sanitize user input in offline match manifest generation #404 — [Connector] Sanitize offline match manifest input
• [Connector] Add command validation and whitelist to RCON gateway #405 — [Connector] Add RCON command whitelist
• [Connector] Add authentication to WebRTC datachannel & validate match data DTOs #406 — [Connector] Validate WebRTC datachannel & match DTOs
• [Game Server] Async void anti-pattern & missing command input validation #402 — [Game Server] Missing command input validation