We use strfry for our relay backends. For AUTH that is on connect (not for a specific type of REQ) we have a fairly simple custom websocket that sits in-between. Once the user passes AUTH, you can simply connect them to strfry. For more complicated types of access control, the middleware becomes a lot more complex as it needs to parse each request. Strfry will eventually have NIP-42 built in - it is often discussed in the strfry telegram as a desired feature. The truth is it’s a complicated spec to implement for anything outside of “on connection” and for that use case it’s a poor solution (a header would be better, more like NIP-98). I’ve ranted about this before but ultimately it’s not going to change and I’ve embraced NIP-42 for the time being.