Websocket Authentication
Despite many (older) claims in the internet that you can establish websocket connections with basic auth, this doesn't seem to be true for javascript libraries running in a recent browser. I managed to do it in Python and assumed it will just work on browsers as well, but it seems that isn't the case. At least I haven't been able to make this work. The only thing we can send in the upgrade request from a browser is a list of protocols. In absence of a standardized authentication mechanism, there's people using this already to pass auth tokens. I confirmed that we can access this header on the server side and check if there's an auth token in it.
If we don't want that hacky (but easy) solution, I am afraid we need to get into the business of tracking each session's authentication state and require them to send a first message with the token before we start sending stuff to it. Maybe even terminate sessions that haven't authenticated after a timeout.