resolve merge conflicts and pull code to main before continuing frontend work

Replace localStorage.username = undefined

Research and Development

I was poking around with your API requests that are very nicely laid out and remembered the ability to use Postman for the creation of accounts. Since your REST API allows for no special keys or anything in the body, it means that I am able to simply just fire off a post request to do really anything.
Example post request:

In this example, I created a user named sudo with admin privilege level. Since there's no checks in the REST API if the user that it's creating is special or not, the user is simply created.

The Fix

From a cybersecurity standpoint, you need to have a private key that you day that you store privately (and not have it trackable to get to) and simply do sanity checks. I personally would say to do a sanity check to make sure someone isn't trying to make an account with admin privileges in general. The biggest issue right now is that you've open-sourced the code so it makes it very difficult to hide any key system without it being replaceable by the attacker.

put a cap on usernames, disable spaces, destroy extra whitespace at the start and end

Cache username in localStorage and look for it when user creates new session or arrives to the Session Connection view

Use standard broadcast format