Add input validation and security checks in CreateToken method

[coderabbitai]

The method CreateToken in internal/auth/jwt_hs256.go should validate the input data map and ensure sensitive data isn't accidentally included in the token.

See PR #8 and this comment for more details.

Requested by @itsLeonB.