FIX: Don't leak unhashed user API keys to redis (PR #14682)

User API keys (not the same thing as admin API keys) are currently leaked to redis when rate limits are applied to them since redis is the backend for rate limits in Discourse and the API keys are included in the redis keys that are used to track usage of user API keys in the last 24 hours.

This commit stops the leak by using a SHA-256 representation of the user API key instead of the key itself to form the redis key.

We don’t need to manually delete the existing redis keys that contain unhashed user API keys because they’re not long-lived and will be automatically deleted within 48 hours after this commit is deployed to your Discourse instance.

GitHub