Allow rotating SECRET_KEY

[bemoody]

There should be a way to change the Django SECRET_KEY value. Preferably, we should be able to rotate the key regularly (once per year, say), without breaking anything.

We really don't want to break:

• user registration email links
• password reset email links

We would prefer not to break:

• login sessions ("sessionid" cookies)
• anonymous access sessions ("anonymousaccess" cookies)
• user registration ("register_time" cookies)
• ...anything else that uses "get_signed_cookie"

https://pypi.org/project/django-rotate-secret-key/ is a package that claims to address the login session issue; I haven't looked at how it's implemented, whether it works with Django 4, or whether it addresses any of the other issues.

[amitupreti]

@bemoody This looks unassigned and super cool, if this is still open, would it be okay if i work on this?

[tompollard]

@amitupreti please feel free to take this on!

[bemoody]

Key rotation finally became an officially supported feature in Django 4.1, so we just have to turn it on. Probably everything should just work unless we have code that directly refers to SECRET_KEY.