We use socket.io's rooms feature in the server to allow patients and doctors to find each other.
Rooms are persisted on the server and use the socketID to assign connected users into rooms. Both Room membership and socketID can be considered secure according to docs.
The important point of action is when the server adds a socketID into a certain room, or allows to send a member a message into this room. At this point, we need to authorize the access of this patient for this room.
This should be based on a token (which could include the userID) and an appointmentID.
Only if these are valid, we allow access. There could be one initial event on which the access is granted. And future events will check if the socketID is already in the room.