Tapis-shared: Deal with trailing spaces in JWT username

[scblack321]

Somehow a jwt ended up containing a username with trailing spaces.
This caused problems.
Plan is for authenticator and/or tokens service to be updated to reject such usernames.

TBD: Should we defensively trim username strings from values in JWT?
What about other names, such as tenant?

[scblack321]

Reported by Sal on 4/10/2025, here are excerpts form slack conversation:
Sal Tijerina 1:53 PM
Getting this error when a user is attempting to create credentials on a public system:

ForbiddenError: message: SYSLIB_UNAUTH Permission denied. jwtTenant: designsafe jwtUserId: sjo0016 OboTenant: designsafe OboUser: sjo0016 System: cloud.data Operation: setCred

Steve Black 3:29 PM
Just noticed something, one of the calls involving credentials appears to have an extra space at the end for this username.
"sjo0016 " vs "sjo0016"

Here is an example jwt:
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJqdGkiOiIxMzdlYWUyYy0xZWJjLTQ5ZjItOTBkMS04MzAzZDMwOTY3MjQiLCJpc3MiOiJodHRwczovL2Rlc2lnbnNhZmUudGFwaXMuaW8vdjMvdG9rZW5zIiwic3ViIjoic2pvMDAxNiAgQGRlc2lnbnNhZmUiLCJ0YXBpcy90ZW5hbnRfaWQiOiJkZXNpZ25zYWZlIiwidGFwaXMvdG9rZW5fdHlwZSI6ImFjY2VzcyIsInRhcGlzL2RlbGVnYXRpb24iOmZhbHNlLCJ0YXBpcy9kZWxlZ2F0aW9uX3N1YiI6bnVsbCwidGFwaXMvdXNlcm5hbWUiOiJzam8wMDE2ICAiLCJ0YXBpcy9hY2NvdW50X3R5cGUiOiJ1c2VyIiwiZXhwIjoxNzQ0MzIyNzU3LCJ0YXBpcy9jbGllbnRfaWQiOiJERVNJR05TQUZFLlBST0QiLCJ0YXBpcy9ncmFudF90eXBlIjoicmVmcmVzaF90b2tlbiIsInRhcGlzL3JlZGlyZWN0X3VyaSI6Imh0dHBzOi8vd3d3LmRlc2lnbnNhZmUtY2kub3JnL2F1dGgvdGFwaXMvY2FsbGJhY2svIiwidGFwaXMvcmVmcmVzaF9jb3VudCI6MX0.dOodv-OqUqsMKdTCuQbkY59nu04Q4JR2p0rTprHopM-7nyPyYLOkYGcelEEVs82PosebPE89Bn31Hy9uE_SDj69hoU8Yp-2fhyHinkHnlSOf4fnYKNzC2JCI_DXrhAoV6z1GZ60QAr3DjEnFOIrQxKSI_1qgmlki8GhcVZUlMrn_T-aoejsQ5fbYmlSSYOvuc4z0U8G2Qo8ZCA3xLNZY0b3DlgjyXsjuyy5G4NSCUqIeWgYbJYAqESM_efuG6AQE3a2eE6QfdQ6krhbgeroAELD0XrY-K_sn4MdPJBEe1_VIdNkAji_LuvVHMIrza3JyW50ldQ8VTyAAAj3OlX-Q-g

Decoded the jwt contains this:

{
"jti": "137eae2c-1ebc-49f2-90d1-8303d3096724",
"iss": "https://designsafe.tapis.io/v3/tokens",
"sub": "sjo0016 @designsafe",
"tapis/tenant_id": "designsafe",
"tapis/token_type": "access",
"tapis/delegation": false,
"tapis/delegation_sub": null,
"tapis/username": "sjo0016 ",
"tapis/account_type": "user",
"exp": 1744322757,
"tapis/client_id": "DESIGNSAFE.PROD",
"tapis/grant_type": "refresh_token",
"tapis/redirect_uri": "https://www.designsafe-ci.org/auth/tapis/callback/",
"tapis/refresh_count": 1
}