There is no way to know if a rotated key still being used by MessageVerifier

Hi there!

When using ActiveSupport::MessageVerifier#rotate it’s not possible to know if a rotated key still in use.

As an example, if we need to change a key because it was leaked, we need to know when we can remove the leaked one completely.

I have 3 different suggestions for that:

  1. change the method MessageVerifier#verify to return an object to encapsulate the value and the key (truncated) that was used. The downside of this approach is to break compatibility with the current version

  2. almost the same as 1) but using an extra option in the method verify to enable this behaviour

  3. use ActiveSupport::Notifications to report that

With this information (which key was used), it would be possible to create a counter metric to measure that.