fix: scope drawings cache by userId and add Socket.io authentication

Security fixes:
1. Drawings cache now includes userId in cache key to prevent data leakage
   between users making identical queries.
2. Socket.io connections now require JWT authentication when auth is enabled.
3. Socket.io join-room verifies drawing ownership before allowing access.
4. Frontend passes auth token when connecting to Socket.io.

Co-authored-by: ZimengXiong <83783148+ZimengXiong@users.noreply.github.com>

frontend/src/pages/Editor.tsx

@@ -267,9 +267,11 @@ export const Editor: React.FC = () => {
       ? window.location.origin
       : (import.meta.env.VITE_API_URL || 'http://localhost:8000');
 
+    const authToken = localStorage.getItem('excalidash-access-token');
     const socket = io(socketUrl, {
       path: '/socket.io',
       transports: ['websocket', 'polling'],
+      auth: authToken ? { token: authToken } : {},
     });
     socketRef.current = socket;