Improve calendar token authentication security

for #1112 (closed) Previously there would have been a tiny chance of two identical tokens being issued.

• also in prep for allowing different scopes of tokens for #1173 thus a concern
• also update puma due to CVE (version 6 breaks some system tests so we stick to 5)