fix(idaa): revert JWT to moderators-only pending Jitsi server config

Temporary rollback — non-moderators rejoin anonymously until Prosody is
configured with allow_empty_token=false to enforce JWT moderator claims.
TODO comment left in place to track the follow-up.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

src/routes/idaa/(idaa)/video_conferences/+page.svelte

@@ -836,11 +836,13 @@ async function init_jitsi() {
     const url_params = data.params;
 
     // --- Initialize Jitsi ---
-    // All verified Novi users get a JWT — not just moderators.
+    // TODO: Issue JWT to all verified Novi users once Jitsi server is configured to enforce
-    // Without JWT enforcement, the room URL alone is enough to join, which violates IDAA privacy.
+    // JWT auth and respect context.user.moderator (set allow_empty_token = false in Prosody).
-    // is_moderator is encoded in the token payload by get_jitsi_jwt().
+    // For now, only moderators get a JWT — non-moderators join anonymously.
-    console.log('Jitsi: Attempting to get JWT...');
+    let jwt_token = null;
-    const jwt_token = await get_jitsi_jwt(
+    if (is_moderator) {
+        console.log('Jitsi: Attempting to get JWT for moderator...');
+        jwt_token = await get_jitsi_jwt(
             display_name,
             email,
             is_moderator,
@@ -856,6 +858,9 @@ async function init_jitsi() {
             return;
         }
         console.log('Jitsi: Successfully received JWT.');
+    } else {
+        console.log('Jitsi: Non-moderator joining without JWT (temporary — pending Jitsi server config fix).');
+    }
 
     const disabled_sounds = [
         disable_incoming_msg_sound ? 'INCOMING_MSG_SOUND' : null,