Currently the semantics of the authtoken object are opaque and it is not clear whether it allows embedded nulls, or the size includes the terminating null for a string.

Turn it into an opaque object with a type with getters and setters that enforce rules also by embedding the type we can always use the type on getters so we return errors if the unexpected type is ever passed in.

Right now we always assume it is a null terminated password, we should better not assume if we will ever introduce inary token and instead mark with a type so that if someone tries to get() a password on a binary token it will just fail with an error instead of failing due to unexpected data like embedded nulls or non conformant character encoding errors (we may have to do character conversion even for passwords in some cases, for example if we ever support NTLM auth).