Do not expose the access token when creating the websocket

[kenkendk]

The current approach to open the websocket is to pass in the authentication token as part of the query string. This could be problematic if some logs or similar are capturing the full request, as the active access token will be recorded. It does currently have a short lifetime (15min) but could be abused anyway.

A proposed workaround to this would be to have a two-state connection, so the initial connection is established but not registered as valid. The client will then need to send a valid token as the first message.

This adds some state management complexity to ensure unauthenticated sockets do not received data.