feat: add `secretKeyPath` for reading key from fs at build-time

[PatrickMi]

Hi 👋 I want to use docker secrets to pass the turnstile secret key for this module. As it looks to me, the turnstile module only accepts the secret key, when it is added to the runtime config by hand. I made a small change to pass the path of a file (in my case the docker secret) containing the secret for turnstile. It would be awesome if you would add that functionality. I hope this PR can help 💪 Also as I am new to Nuxt I'm not sure if I made some mistakes or could do some things better. So I'm always open for improvement hints.

Greetings from Germany ❤️

[danielroe]

I really appreciate the work you both are putting into this.

My own point of view is that the secret should be configured by the user setting an environment variable, rather than reading a file from disk. I'm willing to support reading a file from disk at build-time, however, if you really need it, though I personally can't see why - it seems it would be better to include the following in your .env file:

NUXT_TURNSTILE_SECRET_KEY=somesecretkey

[dargmuesli]

Afaik it's not recommended to store secrets in environment variables. It's described in CWE-526. TrendMicro did research on that. Diogo Mónica sums it up in a shorter article. I think these observations are the reason why Docker implemented secrets as files, they write:

Docker secrets do not set environment variables directly. This was a conscious decision, because environment variables can unintentionally be leaked between containers (for instance, if you use --link).

I see that in this context it might not be very necessary to support secret files, but to me it's better to follow the habit of doing it a safer way.

[dargmuesli]

Hey, sorry for the incoming spam, but I am limited by https://github.com/orgs/community/discussions/8327 not being able to resolve my own review comments, so I'm going to comment under those which can be marked as resolved by someone with write access to this PR.