Add authentication check on subsequent web socket messages

[Zerim]

Currently we only run the UserFromAuthToken function when the WS connection is initialized. We should run it on subsequent messages as well in case the auth token expires, etc.

Can leave it up to the user to decide if they want to memoize etc. to keep that function call inexpensive.

[Jannis]

An alternative approach could be to give developers a way to invalidate the user from the outside whenever they want.

The reasoning here is that the lifetime of a token is application-specific, so the application could set up a timeout that matches the expiration time and then invalidate the user (optionally closing theconnection too).

Another reason where this could be useful is that data changes in the application (e.g. a change ot the user) may invalidate the token. So the application can reevaluate the token when this data changes and decide to invalidate it if necessary.

Giving applications this control may be better (and more obvious) than reevaluating the token unnecessarily often.