Real-time collaboration: check wp_user_id before accepting awareness update.

Using the built-in HTTP polling sync server, awareness state is accepted and stored after the user is authorized. This state is keyed against their sync client ID, which is randomly generated.

However, nothing prevents a user from spoofing another client's client ID, which is discoverable by inspecting network responses. By replaying a sync request with a different client ID, they could temporarily overwrite another client's awareness state.

This change prevents this spoofing by storing and checking the user's WordPress user ID to ensure it matches the initial update.

Developed in: https://github.com/WordPress/wordpress-develop/pull/11120.
Syncs: https://github.com/WordPress/gutenberg/pull/76056.

Fixes #64782.
Props czarate.

git-svn-id: https://develop.svn.wordpress.org/trunk@61838 602fd350-edb4-49c9-b593-d223f7449a82