feat: remove session, emit `SIGNED_OUT` when JWT `session_id` is invalid

[hf]

When the access token (JWT) contains a session_id property which does not correspond to a row in the sessions table, it means that the user has been signed out or the session has been destroyed in some way. Auth will send back a session_not_found error code which can be detected by the client library and removing of the stored session with emitting the SIGNED_OUT event should take place.