fix: validate SEARCH_PEPPER configuration before token generation

Added validation to ensure SEARCH_PEPPER is not empty before generating
tokens. This prevents a security vulnerability where tokens would be
generated without a pepper, making them vulnerable to rainbow table attacks.

Changes:
- Added empty pepper validation in Tokens::exact()
- Added empty pepper validation in Tokens::prefixes()
- Throw RuntimeException with helpful error message and setup instructions
- Updated PHPDoc to document the exception

The error message now guides developers to configure the pepper properly
with a suggested command: openssl rand -base64 32

Author: ginkelsoft-development

src/Support/Tokens.php

@@ -46,9 +46,18 @@ class Tokens
      *
      * @return string
      *     Hex-encoded SHA-256 hash (64 characters).
+     *
+     * @throws \RuntimeException if pepper is empty
      */
     public static function exact(string $normalized, string $pepper): string
     {
+        if (empty($pepper)) {
+            throw new \RuntimeException(
+                'SEARCH_PEPPER is not configured. Set it in your .env file for security. ' .
+                'Generate a random string: openssl rand -base64 32'
+            );
+        }
+
         return hash('sha256', $normalized . $pepper);
     }
 
@@ -71,9 +80,18 @@ public static function exact(string $normalized, string $pepper): string
      *
      * @return string[]
      *     An array of hex-encoded SHA-256 prefix tokens.
+     *
+     * @throws \RuntimeException if pepper is empty
      */
     public static function prefixes(string $normalized, int $maxDepth, string $pepper): array
     {
+        if (empty($pepper)) {
+            throw new \RuntimeException(
+                'SEARCH_PEPPER is not configured. Set it in your .env file for security. ' .
+                'Generate a random string: openssl rand -base64 32'
+            );
+        }
+
         $out = [];
         $len = mb_strlen($normalized, 'UTF-8');
         $depth = min($maxDepth, $len);