migrate-secret-key Fails to Update Secrets

[Samk13]

Package version (if known): V12 latest

Describe the bug

After changing the SECRET_KEY in invenio.cfg and running invenio instance migrate-secret-key --old-key CHANGE_ME, users are unable to log in with the message "incorrect password". It appears the command accepts any value as old-key without regenerating the secrets with the new secret key, posing a potential security risk to not be able to access the system after.

Steps to Reproduce

1. Create a user using user/password method
2. Make sure you able to login with your password.
3. Change SECRET_KEY in invenio.cfg.
4. Run the command invenio instance migrate-secret-key --old-key CHANGE_ME.
5. Attempt to log in with a user account using username and password.
6. Encounter "incorrect password" error.

Expected behavior

Users should be able to log in with their credentials after the secret key migration, and the process should validate the old-key properly to ensure secrets are regenerated with the new secret key securely.

Additional context

The issue was discovered during testing of the migrate-secret-key command, raising concerns about the command's validation of the old-key parameter and the regeneration process of secrets.

[Samk13]

After discussions on the Discord maintainers channel:

• We must add validation for the old secret to prevent the risk of entirely corrupting the stored values.
• For the username/password method, here's Slint response on Discord