Tracking WebSocket Channel Allows Unauthorized Subscription and Event Injection

[observerr411]

Affected files

• backend/src/tracking/tracking.gateway.ts
• backend/src/tracking/tracking.module.ts

Description
The tracking gateway verifies token validity, but subscription and publishing handlers (delivery.subscribe, rider.location, delivery.status, delivery.eta) do not enforce delivery-level authorization. Any authenticated user can subscribe to arbitrary deliveryId rooms and emit location/status payloads.

This creates a data leakage and spoofing risk for delivery telemetry.

Acceptance criteria

• Delivery-level authorization checks are enforced for subscribe/unsubscribe and all publish events.
• Event publishers are verified against rider/delivery ownership or role permissions.
• Unauthorized publish attempts are rejected and audited.
• Gateway enforces schema validation/range checks for coordinates and status enums.
• Security tests verify that users cannot subscribe/publish for deliveries outside their scope.

---