Experiment unverified auth

[graham]

This is really two experiments that should be split if either is appealing to the team. The first experiment was adding a getUserIdentityDebug that would return the JWT error that had occurred if it had occurred (rather than the null value that the non-debug version would return).

I found in my own convex work that often I would have forgotten the aud or incorrectly set the issuer. This helped me quickly understand what was wrong.

Next, I experimented with a plain text, non-jwt token, this doesn't go through any of the verification on the client and doesn't need to be refreshed like a JWT, and the assumption is that the developer rotates this key themselves in some way.

This works "similar to a cookie" in that the developer must lookup the value in a session table, and do all the user lookup work themselves. The nice thing about this is that it doesn't require the lift of JWTs which can be big for users that have never interacted with them.

Additionally, it can be nice for server to server communication.

Finally, the real reason I built this is that, i found myself often writing useAuthedQuery when initially developing a sandbox application. I didn't want to go through the full integrate a work os project and just wanted to get to work, so a single pre-shared key was fine for auth.

However, this isn't possible with the current setup, so writing my own useAuthedQuery felt like i was doing it wrong or working around the original auth system.

These experiments ended up being both more complicated than I had realized but easier to implement than I realized.

I do not intend to merge these, but they ended up being a good example of features that seemed to streamline my learning and my ability to get sandbox applications off the ground.

---

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.