You can do this in firebase.

Suppose part of your DB is laid out like :

/chatRooms/$roomID/password = $PASSWORD

Read/write permission to /chatRooms/$roomID/password is granted to the chatroom owner.

To become a member of a chatroom, you must add a document to: chatRooms/$roomId/users/$userId with the following validation:

The entry's userId must be the current user, and the password field must equal the password. A verification rule can access ANY data in the database, even if the user cannot access the data.

Below is an (untested) example that will show the basic principles.

In short:

1. only the chatroom admin may set the password. No one may read it.
2. chat data can be read by a user if their uid is in the members collection
3. to add a member to the collection, they must write a password, equal to (at the time) the room password

code:

"chatrooms" : {      
  "$room_id" : {
    "chat data" : {
      ".read" : "root.child('/chattrooms/' + $room_id + '/members/' + auth.uid).exists()"
    }, 
    "password": {
      ".read": "false",
      ".write": "root.child('/chattrooms/' + $room_id).child('admin').val() == auth.uid"
    }, 
    "members" : {
      "$user_id" : {
        ".validate": "$user_id == auth.uid && newData.val() == root.child('/chattrooms/' + $room_id + '/password').val()"
      }
    }
  }
}

One way to do this that doesn't require a server is by embedding the password into the path of the room. For example: if you have a room "general" and password "correcthorsebatterystaple", then you could model this as:

messages
    general_correcthorsebatterystaple
roomnames
    general

And secure it with:

{
  rules: {
    messages: {
      "$roomid": {
        ".read": true
      }
    "roomnames: {
      ".read": true
    }
  }
}

With these rules anyone can read the list of room names. But you can only read the messages of a room if you also know the password of the name.