[core] have a system level SECRET variable, to be used as a salt separate from DATABASE_DSN

core/install.php

@@ -314,7 +314,8 @@ function create_tables(Database $db): void
 
 function write_config(string $dsn): void
 {
-    $file_content = "<" . "?php\ndefine('DATABASE_DSN', '$dsn');\n";
+    $secret = bin2hex(random_bytes(16));
+    $file_content = "<" . "?php\ndefine('DATABASE_DSN', '$dsn');\ndefine('SECRET', '$secret');\n";
 
     if (!file_exists("data/config")) {
         mkdir("data/config", 0755, true);

core/sys_config.php

@@ -38,3 +38,4 @@ _d("BASE_HREF", null);          // string   force a specific base URL (default i
 _d("TRACE_FILE", null);         // string   file to log performance data into
 _d("TRACE_THRESHOLD", 0.0);     // float    log pages which take more time than this many seconds
 _d("TRUSTED_PROXIES", []);      // array    trust "X-Real-IP" / "X-Forwarded-For" / "X-Forwarded-Proto" headers from these IP ranges
+_d("SECRET", DATABASE_DSN);     // string   A secret bit of data used to salt some hashes

core/user.php

@@ -249,7 +249,7 @@ class User
     public function get_auth_token(): string
     {
         global $config;
-        $salt = DATABASE_DSN;
+        $salt = SECRET;
         $addr = get_session_ip($config);
         return md5(md5($this->passhash . $addr) . "salty-csrf-" . $salt);
     }

tests/defines.php

@@ -23,3 +23,4 @@ define("TIMEZONE", 'UTC');
 define("CLI_LOG_LEVEL", 50);
 define("STATSD_HOST", null);
 define("TRUSTED_PROXIES", []);
+define("SECRET", "asdfghjkl");