Akron
commented
2 years ago Although I think AutoSecrets is problematic in that regard, a way to mitigate the problem is to have secrets no longer than 22 characters (default length in Session::Token). The garbage can happen when secrets are longer than 22 and they are part of the secrets file when the automatic migration happen - that way after the first full round of rotation, the extra characters are not truncated. By fixing the migration, this error won't occur anymore for new migration. The fix for already migrated instances is to manually truncate the JSON secret file.
It seems the new auto secrets mechanism can create garbage secret files. When writing a new secrets file it may need to be unlinked before. The problem is in https://metacpan.org/dist/Mojolicious-Plugin-AutoSecrets/source/lib/Mojolicious/Plugin/AutoSecrets.pm - so it needs to be fixed there.