fix: Add type check to prevent DoS via non-string rejoinCode

Validate rejoinCode is a string before calling .includes()
to prevent TypeError crashes from malicious payloads.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: codergautam

ws/classes/Player.js

@@ -161,7 +161,7 @@ export default class Player {
         // account verification
         if((!json.secret) ||(json.secret === 'not_logged_in')) {
           if(!this.verified) {
-            if(json.rejoinCode && json.rejoinCode.includes('-')) {
+            if(typeof json.rejoinCode === 'string' && json.rejoinCode.includes('-')) {
               // Only accept UUID format rejoinCodes (contain dashes), reject MongoDB ObjectIds
               const dcPlayerId = disconnectedPlayers.get(json.rejoinCode);
               if(dcPlayerId) {