Fix flaky TestJWTManager

[6543]

The test verified that a tampered JWT is rejected, but it was flipping the last base64url character of the signature instead of flipping an actual byte.

This was unreliable: the final character of a 32-byte HMAC-SHA256 signature only carries 4 meaningful bits. Go's base64 decoder silently ignores the other 2, so roughly 1 in 16 tokens decoded to the same bytes after the swap — meaning the "tampered" token passed verification and the test flaked.

Fix: decode the signature to raw bytes, XOR the first byte, then re-encode. This guarantees the signature bytes are actually different, making the test deterministic.

example: https://ci.woodpecker-ci.org/repos/3780/pipeline/33691/33

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 41.29%. Comparing base (f1bf85f) to head (7cc30ec).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6478      +/-   ##
==========================================
+ Coverage   41.25%   41.29%   +0.04%     
==========================================
  Files         431      431              
  Lines       28815    28815              
==========================================
+ Hits        11887    11899      +12     
+ Misses      15861    15850      -11     
+ Partials     1067     1066       -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.