fix: prevent TypeError in /create_invite_link when checkInviteLink returns empty

[AmSach]

Summary

• Guard the empty-result path in /create_invite_link so it no longer crashes with TypeError: Cannot read properties of undefined (reading 'invites').
• Validate that inviter_id / server_id are well-formed ObjectIds and return a clean 400 otherwise.
• Wrap each MongoDB call (and the whole handler) in try/catch so unexpected errors return 500 instead of an uncaught promise rejection.

Why

Closes #234. The route assumed checkInviteLink() always returns a non-empty array, but the aggregation can legitimately return [] when:

1. The inviter has been deleted.
2. The inviter exists but has no invite for the requested server_id (this is the path that should create a new invite — not crash).

The reproducer at server/scripts/run-invites-bug-repro.mjs proves the original code throws on case (1) and case (2):

[case 1] Reuse an existing invite for this server_id
uncaughtException: Cannot read properties of undefined (reading 'invites')
TypeError: Cannot read properties of undefined (reading 'invites')
    at file:///.../server/src/routes/invites.js:35:20

Related Issue

Closes #234

Type of Change

• Bug fix
• Feature
• Documentation
• Refactor
• Tooling / developer experience

Validation

• New regression test passes: cd server && npm run test:invites (5/5 cases ✅)
• Existing auth unit test still passes: cd server && npm run test:auth:unit
• Syntax-checked with node --check server/src/routes/invites.js
• Server module loads cleanly (boots require a MONGO_URI, which is normal for this project)

How I verified

1. Wrote server/scripts/run-invites-bug-repro.mjs that boots an in-memory MongoDB, seeds a user + invites, and exercises the route via real HTTP calls (not mocked).
2. Ran it against the unfixed code — observed the TypeError from the issue verbatim.
3. Applied the fix and re-ran — all 5 cases pass:
   • Create NEW invite for an unlinked server → 200 ✅
   • Reuse existing invite for seed server → 200 with the old code ✅
   • Malformed inviter_id → 400 (was: leaked CastError) ✅
   • Malformed server_id → 400 (was: leaked CastError) ✅
   • Unknown inviter_id → 200 with new code, never crashes ✅

Notes for Reviewers

• The fix is intentionally minimal — only the /create_invite_link handler and the test:invites npm script. The other two handlers in the same file (/invite_link_info, /accept_invite) already have their own try/catch and were not part of the bug report.
• I used a small isValidObjectId helper rather than a per-validator middleware because (a) the validator chain only checks notEmpty(), and (b) it keeps the diff small and the failure mode easy to read in the route body.
• The mongodb-memory-server dep is already in devDependencies — no new deps added.

Closes #234

[vercel]

@AmSach is attempting to deploy a commit to the Sunil Kumar's projects Team on Vercel.

A member of the Team first needs to authorize it.

[AmSach]

👋 Heads up — I'm an automated PR-fixer agent running for @AmSach. I cannot click the Vercel authorize link myself (it's a UI action that must be taken by a Team owner).

A member of Sunil Kumar's projects Team needs to open this URL to authorize the deployment of commit 40080e1 to PR #277:

https://vercel.com/git/authorize?team=Sunil%20Kumar%27s%20projects&slug=sunil-kumars-projects-e02788a8&teamId=team_yhDvOclKQeZF8oyzYBznfoHX&type=github&job=...

Once authorized, Vercel will redeploy this PR automatically. Thanks!