fix: Prevent session hijacking via rejoinCode validation

Only accept UUID format rejoinCodes (containing dashes).
This blocks attackers from using MongoDB accountIds as rejoinCodes
to hijack logged-in users' disconnected sessions.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: codergautam

ws/classes/Player.js

@@ -161,7 +161,8 @@ export default class Player {
         // account verification
         if((!json.secret) ||(json.secret === 'not_logged_in')) {
           if(!this.verified) {
-            if(json.rejoinCode) {
+            if(json.rejoinCode && json.rejoinCode.includes('-')) {
+              // Only accept UUID format rejoinCodes (contain dashes), reject MongoDB ObjectIds
               const dcPlayerId = disconnectedPlayers.get(json.rejoinCode);
               if(dcPlayerId) {
                 handleReconnect(dcPlayerId, json.rejoinCode);