Fix special characters in admin-generated secret keys

Fixes #7990

The issue was that the Charset constant used for generating secret keys
included the '/' character, which is URL-unsafe. When secret keys
containing '/' were used in HTTP requests, they would be URL-encoded,
causing a mismatch during signature verification.

Changes:
- Removed '/' from the Charset constant in weed/iam/constants.go
- Added TestGenerateSecretAccessKey_URLSafe to verify generated keys
  don't contain URL-unsafe characters like '/' or '+'

This ensures all newly generated secret keys are URL-safe and will
work correctly with S3 authentication. Existing keys continue to work.

weed/iam/constants.go

@@ -3,7 +3,7 @@ package iam
 // Character sets for credential generation
 const (
 	CharsetUpper = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
-	Charset      = CharsetUpper + "abcdefghijklmnopqrstuvwxyz/"
+	Charset      = CharsetUpper + "abcdefghijklmnopqrstuvwxyz"
 )
 
 // Policy document version

weed/iam/helpers_test.go

@@ -58,6 +58,23 @@ func TestGenerateSecretAccessKey(t *testing.T) {
 	assert.Len(t, secretKey, SecretAccessKeyLength)
 }
 
+func TestGenerateSecretAccessKey_URLSafe(t *testing.T) {
+	// Generate multiple keys to increase probability of catching unsafe chars
+	for i := 0; i < 100; i++ {
+		secretKey, err := GenerateSecretAccessKey()
+		assert.NoError(t, err)
+
+		// Verify no URL-unsafe characters that would cause authentication issues
+		assert.NotContains(t, secretKey, "/", "Secret key should not contain /")
+		assert.NotContains(t, secretKey, "+", "Secret key should not contain +")
+
+		// Verify only expected characters are present
+		for _, char := range secretKey {
+			assert.Contains(t, Charset, string(char), "Secret key contains unexpected character: %c", char)
+		}
+	}
+}
+
 func TestStringSlicesEqual(t *testing.T) {
 	tests := []struct {
 		a        []string