Need to start thinking more seriously about how best to handle authentication (any by extension, encryption).
My original plan had been that the "room password" would never be shared with the server and instead would be used as a shared encryption key by the clients to encrypt message payloads. Despite that, for some reason, I added a passhash field to the rooms table.
We also need some level of user auth when they join a room. Knowing the room password shouldn't be sufficient to let them retrieve messages (as they'd then be able to decrypt them).
One option might be to merge the two into one, of the format roompass:userpass and just have the client split them and use each appropriately.
In any case, needs some thoughts laid down on the best approach so that decisions are recorded.