[11.x] Add support for previous apps keys in signed URL verification

[Krisell]

Description

Laravel 11 introduced the ability to add app.previous_keys to migrate the app-key for encryption transparently, added in #49962

This PR adds the same support for signed URLs, by allowing URLs generated under one of the previous keys (listed in app.previous_keys) to be considered as valid.

Implementation

The implementation iterates over the acceptable app keys, with the current app key first, and returns as soon as a valid hmac is found. Of course, signing a new URL always uses the current app key.

To support this, I updated the default $keyResolver in UrlGenerator (set in RoutingServiceProvider) to return an array of keys. I can't see this return value being typed anywhere, and I kept support for single keys being returned, in case anyone injects their own key resolver.

Inspiration

The idea for this PR comes from @valorin and the Securing Laravel newsletter, where the missing support for signed URLs was mentioned.

[valorin]

This is great, nice work! 😁

I can't see any issues with it, and I like how you're still supporting single keys for backwards compatibility.