Require minimum length for secret

[wsargent]

Fixes

Fixes #8554

Purpose

Specifies a minimum length for the secret, below which the application will report an error. This prevents low entropy strings from being used.

Note that this is a) set intentionally low so that no genuine random string is used and b) is hardcoded and can't be disabled.

Unfinished work

This needs to be mentioned in the migration notes, as it will prevent some users from updating (and will require logins as changing the salt will invalidate all sessions) and will also require changes for users who use a "prod" application in their test suites.

Background Context

Salts aren't required to be incredibly strong, but they are required to be unique... and if you don't have a unique salt (i.e. you've been typing "password" in) then the application secret can be guessed and then the session data can be spoofed.

[marcospereira]

Looking good to me.

The only thing I'm thinking is how can we bring this information to dev mode and make people aware of this change sooner. Also, we need to add this to the migration guide.

[marcospereira]

Two minor suggestions and then it looks good to me.

Thanks, @wsargent.

[marcospereira]

I've added some changes (and made comments to explain them) and there is also some minor points.

[marcospereira]

@wsargent you may want to do a small review here since I've added some commits. 😄

[ignasi35]

Made a few comments wrt the length of the validations to trigger the warnings.

In some occasion, I made code suggestions (which now I think are wrong) but then realised the actual issues:

• 8 and 15 are magic numbers
• in both cases the comparison is lower-or-equal and that's not properly setup or worded in tests.

[wsargent]

@ignasi35 should be good now

[ignasi35]

Thanks @wsargent !