🔒️(frontend) room ids are generated with non-cryptographic rand

Room identifiers are created with `Math.random()`, which is predictable
and not suitable for security-sensitive identifiers. Predictable
room IDs increase the risk of room enumeration and unauthorized
access attempts, especially when IDs are part of join URLs.

Affected files: generateRoomId.ts

Signed-off-by: tuanaiseo <221258316+tuanaiseo@users.noreply.github.com>

Author: tuanaiseo

CHANGELOG.md

@@ -16,6 +16,7 @@ and this project adheres to
 
 - ♻(frontend) standardize role terminology across localizations
 - 🐛(backend) make start-recording atomic and fault-tolerant
+- 🔒️(frontend) room ids are generated with non-cryptographic rand
 
 ## [1.15.0] - 2026-04-30
 

src/frontend/src/features/rooms/utils/generateRoomId.ts

@@ -1,10 +1,20 @@
 // Google Meet uses only letters in a room identifier
 const ROOM_ID_ALLOWED_CHARACTERS = 'abcdefghijklmnopqrstuvwxyz'
 
-const getRandomChar = () =>
-  ROOM_ID_ALLOWED_CHARACTERS[
-    Math.floor(Math.random() * ROOM_ID_ALLOWED_CHARACTERS.length)
+const getRandomChar = () => {
+  const maxValue =
+    Math.floor(0x100000000 / ROOM_ID_ALLOWED_CHARACTERS.length) *
+    ROOM_ID_ALLOWED_CHARACTERS.length
+  const randomValue = new Uint32Array(1)
+
+  do {
+    crypto.getRandomValues(randomValue)
+  } while (randomValue[0] >= maxValue)
+
+  return ROOM_ID_ALLOWED_CHARACTERS[
+    randomValue[0] % ROOM_ID_ALLOWED_CHARACTERS.length
   ]
+}
 
 const generateSegment = (length: number): string =>
   Array.from(Array(length), getRandomChar).join('')