SECURITY: WebSocket Origin Check Bypass Exposes Voice & DM Services to Hijacking

A critical security flaw in the WebSocket upgrade handlers for voice and direct messaging services allows connections from any origin when a key security configuration is missing. This vulnerability, classified as a HIGH-severity Cross-Site WebSocket Hijacking (CSWSH) risk, enables malicious websites to hijack authenticated user sessions and establish unauthorized WebSocket connections on behalf of victims who visit the attacker's site.

The vulnerability is present in two specific code locations: the voice WebSocket handler (`internal/handlers/voice.go`) and the DM WebSocket handler (`internal/handlers/dm_websocket.go`). In both cases, the code checks for the `ALLOWED_ORIGINS` environment variable. If this variable is not set or is empty, the check returns `true`, effectively accepting WebSocket upgrade requests from any origin. This bypasses a fundamental security control designed to restrict connections to trusted domains.

The impact is direct and severe. An attacker can craft a malicious webpage that, when visited by an authenticated user, silently opens WebSocket connections to the vulnerable server using the victim's existing authentication cookies or tokens. This grants the attacker a channel to potentially intercept, manipulate, or inject data into the voice and DM streams, compromising user privacy and data integrity. The flaw places all user sessions at risk until the `ALLOWED_ORIGINS` variable is properly configured with a restrictive list of permitted domains.