I think we figured out that there is only a single command (push) that
needs authentication, and when that is invoked we'd switch from
un-authenticated to authenticate at that point (as there's no benefit
to re-becoming anonymous), so a whole decorator/framework for this was
overkill (and complicated things).