Replace header-based auth (not possible with browser WebSocket API) with a
first-message auth protocol: client sends {"type":"auth","token":"<JWT>"}
as the first text frame; server validates and proceeds or closes the connection.
Both GameWebSocketResource and UserWebSocketResource now hold incoming
connections in a pendingAuth set until the auth frame arrives, preventing
any game or event messages from being processed before identity is established.
Also removes the broken Bearer-prefix handling that caused header-based auth
to silently fail even for non-browser clients.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
LQ63