feat(backend): implement comprehensive security and validation

Implement enterprise-grade security measures and input validation:

Security Features:
- Add Helmet.js for security headers (XSS, clickjacking, MIME protection)
- Implement rate limiting (5/15min for auth, 100/15min for API)
- Add Socket.IO JWT authentication middleware
- Fix JWT auth middleware (remove throw in catch, extend token to 7 days)
- Implement centralized error handling with AppError class
- Add CORS restrictive configuration

Input Validation:
- Add express-validator to all routes (auth, streets, tasks, posts, events, rewards, reports, users)
- Create comprehensive validation schemas in middleware/validators/
- Consistent error response format for validation failures

Additional Features:
- Add pagination middleware for all list endpoints
- Add Multer file upload middleware (5MB limit, image validation)
- Update .env.example with all required environment variables

Dependencies Added:
- helmet@8.1.0
- express-rate-limit@8.2.1
- express-validator@7.3.0
- multer@1.4.5-lts.1
- cloudinary@2.8.0

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

backend/middleware/socketAuth.js

@@ -0,0 +1,30 @@
+const jwt = require("jsonwebtoken");
+
+/**
+ * Socket.IO Authentication Middleware
+ * Verifies JWT token before allowing socket connections
+ */
+const socketAuth = (socket, next) => {
+  try {
+    // Get token from handshake auth or query
+    const token =
+      socket.handshake.auth.token || socket.handshake.query.token;
+
+    if (!token) {
+      return next(new Error("Authentication error: No token provided"));
+    }
+
+    // Verify token
+    const decoded = jwt.verify(token, process.env.JWT_SECRET);
+
+    // Attach user data to socket
+    socket.user = decoded.user;
+
+    next();
+  } catch (err) {
+    console.error("Socket authentication error:", err.message);
+    return next(new Error("Authentication error: Invalid token"));
+  }
+};
+
+module.exports = socketAuth;