Fix `CSRFTokenSigner` - it needs to cope with rotated secrets too

[rtyley]

This fixes https://github.com/guardian/play-secret-rotation/issues/445 - although play-secret-rotation has always overridden Play's RequestFactory to handle rotating the Play Application Secret, we forgot to also override the CSRFTokenSigner to teach it about rotating secrets - this PR fixes that.

Essential to coping with rotating secret keys is the ability to tolerate tokens signed with old secret keys for a transition period (for us the overlap period is 2 hours). So our RotatingKeyCSRFTokenSigner needs to always sign with the 'current' secret, but when verifying tokens, needs to try verifying the token against all applicable secret keys, to see if any of them validate it.

See also:

• https://github.com/guardian/ophan/issues/5970
• https://github.com/guardian/ophan/pull/5985

[gu-scala-library-release[bot]]

@rtyley has published a preview version of this PR with release workflow run #32, based on commit 6be2ecaa54ee6fb618580255193b39784b8c71ac:

8.2.0-PREVIEW.fix-forgotten-CSRFTokenSigner.2024-04-04T1033.6be2ecaa

Want to make another preview release?

Click 'Run workflow' in the [GitHub UI](https://github.com/guardian/play-secret-rotation/actions/workflows/release.yml), specifying the fix-forgotten-CSRFTokenSigner branch, or use the [GitHub CLI](https://cli.github.com/) command: gh workflow run release.yml --ref fix-forgotten-CSRFTokenSigner

Want to make a full release after this PR is merged?

Click 'Run workflow' in the [GitHub UI](https://github.com/guardian/play-secret-rotation/actions/workflows/release.yml), leaving the branch as the default, or use the [GitHub CLI](https://cli.github.com/) command: gh workflow run release.yml