Add "auth locking" for clients so that browsers do not get true state until auth'd

[Pomax]

E.g. even though there's a state to send, only send { authenticated: false }, and only start sending true state data once that authentication has successfully happened.

[Pomax]

v6.0.0 introduces "auth" at the client level, but this does not extend to clients that service multiple browsers. Which isn't even possible right now anyway so that's fine.