// via cookies
// (in which case loggedInUser must match the authenticated user, and
// this message has no
// effect).
ProtocolAuthenticate authMessage = (ProtocolAuthenticate) message;
ParticipantId authenticatedAs = authenticate(authMessage.getToken());
Preconditions.checkArgument(authenticatedAs != null, "Auth token invalid");
Preconditions.checkState(loggedInUser == null || loggedInUser.equals(authenticatedAs),
"Session already authenticated as a different user");