Refine secret key handling for better flexibility and security

[JohanManders]

Changes

The @fastify/secure-session plugin emphasizes using a pregenerated key. Before these code changes, you could not use signed sessions / cookies, when only using a key. When using a key and a secret, it was confusing which of the two is used for what?

After this commit, signing will work with only a key or an array of keys, without the need of a secret. When setting a key, the key is used for the session key and also for the cookie secret. When setting a key and a secret, the secret is not used. When using a secret only, this will be used for the session key and the cookie secret.

• key -> key = session key & cookie secret
• key & secret -> key = session key & cookie secret, secret is ignored
• secret -> secret = session key & cookie secret

I used sodium.crypto_generichash(outputHash, key) (or sodium.crypto_generichash(outputHash, key[0]) if you used key rotation) to convert the buffer to a string that we can use for cookie secret. This should give us a secure enough string and make sure key is not the same as secret.

This pull request fixes issue #77.

Unit tests

I added 3 unit tests which would fail using the old code:

• 'signing works with only a key' in key.js
• 'signing works with only a string key array' in key-rotation.js
• 'signing works with only a buffer key array' in key-rotation.js

Checklist

• [X] run npm run test and npm run benchmark
• [X] tests and/or benchmarks are included
• [ ] documentation is changed or added
• [X] commit message and code follows the Developer's Certification of Origin and the Code of conduct

[JohanManders]

I thought that that would not be a problem and I tried to keep the complexity as low as possible. Using sodium.crypto_generichash(outputHash, key) should fix this issue.