fix(chat): invitation email hook paths and redirect flow

[kkopanidis]

Problem

Chat invitation emails link to /hook/chat/invitations/{accept|decline}/{token}, but the hook handler required an authenticated user in request context and returned a plain string response. Users clicking email links while logged out hit a broken flow with no redirect to login or back into the app.

Solution

• Register the hook at /hook/chat/invitations/:answer/:invitationToken to match email URLs (Hermes already prefixes module hooks, but the route is now explicit).
• Add authMiddleware? so the hook works for anonymous email-link visits.
• Look up invitations by token only; verify the logged-in user matches the invitation receiver before mutating state.
• Redirect unauthenticated users to explicit_room_joins.redirect.login_uri with redirectUri set to the hook URL so they can return after login.
• Redirect authenticated users after accept/decline when accept_uri / decline_uri are configured ({roomId} placeholder supported).
• Centralize hook URL construction in buildInvitationHookUrl shared by email templates and the hook handler.

Config

Set via Chat module config (explicit_room_joins.redirect):

Key	Purpose
login_uri	App login page for unauthenticated email-link clicks
accept_uri	Post-accept destination (supports {roomId})
decline_uri	Post-decline destination

Test plan

• Send a chat room invitation with email enabled
• Click accept link while logged out → redirected to login_uri?redirectUri=<hook url>
• Log in and return to hook URL → invitation accepted, redirected to accept_uri
• Click decline link while authenticated as invitee → invitation declined, redirected to decline_uri
• Click accept link as a different authenticated user → 403
• Click accept link when already a room member → token cleaned up, redirect/message without error