SECURITY: ICE/TURN Server Credentials Exposed via Unauthenticated API Endpoint

A critical security vulnerability allows any unauthenticated client to retrieve the credentials for a TURN server directly from a public API endpoint. The `/api/voice/ice` endpoint returns the username and password for the TURN (Traversal Using Relays around NAT) server without requiring any form of authentication. This flaw exposes the system to relay attacks, potential bandwidth theft, and unauthorized consumption of TURN server resources, which are critical for real-time communication services like voice and video.

The vulnerability stems from a clear oversight in the codebase. In the main server file (`cmd/server/main.go`), the `/api/voice/ice` endpoint is registered without the authentication middleware that protects other sensitive routes. Directly adjacent on line 294, the WebSocket endpoint (`/api/voice/ws`) correctly uses `middleware.RequireAuth`, highlighting the inconsistency. The handler function `GetICEConfig` in `internal/handlers/voice.go` (lines 104-123) unconditionally returns the TURN server URL, username, and credential from the application's configuration when a TURN server is configured.

This exposure represents a significant operational risk. Possession of valid TURN credentials allows an attacker to misuse the relay infrastructure, potentially incurring substantial costs for the service operator or degrading service quality for legitimate users. The flaw underscores a common but dangerous pattern where configuration endpoints for real-time communication setups are inadvertently left open, treating sensitive credentials as mere configuration data rather than secrets that require strict access control. Immediate remediation requires wrapping the endpoint with the same authentication middleware used elsewhere in the application.