[drastically edited]

Provide ways for an MCP server to authenticate incoming requests, and pass the resulting information on to handlers.

For authentication, add a middleware function that verifies the token.
The function takes a TokenVerifier:

type TokenVerifier func(ctx context.Context, token string) (*TokenInfo, error)

It extracts the bearer token, calls the verifier, and checks scopes and expiration before allowing the request to proceed.
Our HTTP transports can look at the error to decide whether to serve a resource URL with the appropriate status so that clients know to conduct the flow to obtain an access token. The TokenInfo is passed in the request context.

The design and implementation are based on the TypeScript one.

Once we have the authentication info, how do we pass it to handlers? Currently, handlers only take a context, a server session, and the request parameter struct. See #243 for a solution.