Check token content before handling them

This adds plausibility checks before handling tokens as for example jwt
or api keys. Doing so we generate less error logs and therefore we cause
less confusion.

scm-webapp/src/test/java/sonia/scm/security/ApiKeyRealmTest.java

@@ -96,6 +96,15 @@ class ApiKeyRealmTest {
     assertThrows(AuthorizationException.class, () -> realm.doGetAuthenticationInfo(token));
   }
 
+  @Test
+  void shouldIgnoreTokensWithDots() {
+    BearerToken token = valueOf("this.is.no.api.token");
+
+    boolean supports = realm.supports(token);
+
+    assertThat(supports).isFalse();
+  }
+
   void verifyScopeSet(String... permissions) {
     verify(authenticationInfoBuilder).withScope(argThat(scope -> {
       assertThat(scope).containsExactly(permissions);

scm-webapp/src/test/java/sonia/scm/security/ApiKeyTokenHandlerTest.java

@@ -61,4 +61,11 @@ class ApiKeyTokenHandlerTest {
 
     assertThat(token).isEmpty();
   }
+
+  @Test
+  void shouldParseRealWorldExample() {
+    Optional<ApiKeyTokenHandler.Token> token = handler.readToken("JhcGlLZXlJZCI6IkE2U0ROWmV0MjEiLCJ1c2VyIjoiaG9yc3QiLCJwYXNzcGhyYXNlIjoiWGNKQ01PMnZuZ1JaOEhVU21BSVoifQ");
+
+    assertThat(token).get().extracting("user").isEqualTo("horst");
+  }
 }

scm-webapp/src/test/java/sonia/scm/security/BearerRealmTest.java

@@ -40,6 +40,7 @@ import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
+import static sonia.scm.security.BearerToken.valueOf;
 
 /**
  * Unit tests for {@link BearerRealm}.
@@ -96,4 +97,13 @@ class BearerRealmTest {
   void shouldThrowIllegalArgumentExceptionForWrongTypeOfToken() {
     assertThrows(IllegalArgumentException.class, () -> realm.doGetAuthenticationInfo(new UsernamePasswordToken()));
   }
+
+  @Test
+  void shouldIgnoreTokensWithoutDot() {
+    BearerToken token = valueOf("this-is-no-jwt-token");
+
+    boolean supports = realm.supports(token);
+
+    assertThat(supports).isFalse();
+  }
 }

scm-webapp/src/test/java/sonia/scm/web/security/TokenRefreshFilterTest.java

@@ -21,7 +21,7 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  * SOFTWARE.
  */
-    
+
 package sonia.scm.web.security;
 
 import org.apache.shiro.authc.AuthenticationToken;
@@ -52,6 +52,7 @@ import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.never;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
+import static sonia.scm.security.BearerToken.valueOf;
 
 @ExtendWith({MockitoExtension.class})
 class TokenRefreshFilterTest {
@@ -103,7 +104,7 @@ class TokenRefreshFilterTest {
 
   @Test
   void shouldNotRefreshNonJwtToken() throws IOException, ServletException {
-    BearerToken token = mock(BearerToken.class);
+    BearerToken token = createValidToken();
     JwtAccessToken jwtToken = mock(JwtAccessToken.class);
     when(tokenGenerator.createToken(request)).thenReturn(token);
     when(resolver.resolve(token)).thenReturn(jwtToken);
@@ -116,7 +117,7 @@ class TokenRefreshFilterTest {
 
   @Test
   void shouldRefreshIfRefreshable() throws IOException, ServletException {
-    BearerToken token = mock(BearerToken.class);
+    BearerToken token = createValidToken();
     JwtAccessToken jwtToken = mock(JwtAccessToken.class);
     JwtAccessToken newJwtToken = mock(JwtAccessToken.class);
     when(tokenGenerator.createToken(request)).thenReturn(token);
@@ -128,4 +129,8 @@ class TokenRefreshFilterTest {
     verify(issuer).authenticate(request, response, newJwtToken);
     verify(filterChain).doFilter(request, response);
   }
+
+  BearerToken createValidToken() {
+    return valueOf("some.jwt.token");
+  }
 }