Check token content before handling them

This adds plausibility checks before handling tokens as for example jwt
or api keys. Doing so we generate less error logs and therefore we cause
less confusion.

scm-webapp/src/test/java/sonia/scm/security/ApiKeyRealmTest.java

@@ -96,6 +96,15 @@ class ApiKeyRealmTest {
     assertThrows(AuthorizationException.class, () -> realm.doGetAuthenticationInfo(token));
   }
 
+  @Test
+  void shouldIgnoreTokensWithDots() {
+    BearerToken token = valueOf("this.is.no.api.token");
+
+    boolean supports = realm.supports(token);
+
+    assertThat(supports).isFalse();
+  }
+
   void verifyScopeSet(String... permissions) {
     verify(authenticationInfoBuilder).withScope(argThat(scope -> {
       assertThat(scope).containsExactly(permissions);