Given the following curl command using a wrong API key, users will get HTML garbage.

curl 'https://tuleap-web.tuleap-aio-dev.docker/uploads/frs/file/1' -H 'X-Auth-AccessKey: tlp-k1-7.2c3ba8187f202ec2a6962a972f6ebebb9f5b3278ce563b66d9e77320f65f0fd' -H 'Tus-Resumable: 1.0.0' -k \
       -H 'Upload-Offset: 0' \
       -H 'Content-Type: application/offset+octet-stream' \
       -H 'Content-Length: 12'  \
       -H 'X-Http-Method-Override: PATCH' \
       --data-binary "123456789012"

Furthermore we get this in the codendi_syslog:

2019-08-07T17:57:16+02:00 [4185] [error] Caught exception: invalid hex string:
#0 /usr/share/tuleap/src/common/User/AccessKey/AccessKeySerializer.php(47): sodium_hex2bin()
#1 /usr/share/tuleap/src/common/REST/UserManager.class.php(181): Tuleap\User\AccessKey\AccessKeySerializer->getSplitToken()
#2 /usr/share/tuleap/src/common/REST/UserManager.class.php(150): Tuleap\REST\UserManager->getUserFromAccessKey()
#3 /usr/share/tuleap/src/common/REST/UserManager.class.php(118): Tuleap\REST\UserManager->getUserFromTuleapRESTAuthenticationFlows()
#4 /usr/share/tuleap/src/common/REST/RESTCurrentUserMiddleware.php(54): Tuleap\REST\UserManager->getCurrentUser()
#5 /usr/share/tuleap/src/common/Http/Server/MiddlewareDispatcher.php(52): Tuleap\REST\RESTCurrentUserMiddleware->process()
#6 /usr/share/tuleap/src/common/Http/Server/SessionWriteCloseMiddleware.php(35): Tuleap\Http\Server\MiddlewareDispatcher->handle()
#7 /usr/share/tuleap/src/common/Http/Server/MiddlewareDispatcher.php(52): Tuleap\Http\Server\SessionWriteCloseMiddleware->process()
#8 /usr/share/tuleap/src/common/Request/DispatchablePSR15Compatible.php(61): Tuleap\Http\Server\MiddlewareDispatcher->handle()
#9 /usr/share/tuleap/src/common/Request/FrontRouter.php(222): Tuleap\Request\DispatchablePSR15Compatible->process()
#10 /usr/share/tuleap/src/common/Request/FrontRouter.php(101): Tuleap\Request\FrontRouter->routeHandler()
#11 /usr/share/tuleap/src/www/index.php(46): Tuleap\Request\FrontRouter->route()
#12 {main}