Having a default SECRET_KEY_BASE is insecure

[bo0tzz]

The default docker-compose file already has a SECRET_KEY_BASE set (https://github.com/sergiotapia/magnetissimo/blob/master/docker-compose.yml#L22). My experience is that people will forget to change this when deploying, resulting in instances that are essentially wide-open. Although this key happens to not be used for authentication here, it's still a security risk. My recommendation would be the following:

1. Leave the value empty in the compose file (SECRET_KEY_BASE=), and include a comment with a command that can be used to generate the value (eg openssl rand -base64 48).
2. If the key is not set, generate a key that the user can copy and include it in the error message, then stop the application.
3. If the key is set, but it's an insecure value (either equal to the current default, or not enough entropy[^1]), then log a big warning with a new key but continue to start the application (using the configured key)

[^1]: It seems phoenix already errors if the entropy is too low, so maybe that's not necessary to also do here.

[sergiotapia]

You're right, I'll remove it from the docker-compose file. It will force people to generate their own SECRET_KEY_BASE string. Fixed in c4ac1218d9e578e242136f1343fd789f0831d6b1

[bo0tzz]

Thank you!