Empty secret is accepted by encode

[lacop11]

I think it would be a good idea for jwt.encode to raise an exception if the secret argument is an empty string.

https://vulnapi.cerberauth.com/docs/vulnerabilities/broken-authentication/jwt-blank-secret

Right now it works but produces JWT that is trivially spoofed:

>>> e = jwt.encode({"foo":"bar"}, '', algorithm='HS256')
>>> print(e)
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmb28iOiJiYXIifQ._NaFhGu8tCCgBKksGBA6ADwRdKx3e9GES_KyF4A5phE
>>> jwt.decode(e, '', algorithms=['HS256'])
{'foo': 'bar'}

Of course users should not call it with empty secret but that will usually come from some configuration file, environment variable or secret store, and it is possible to have a bug somewhere along that chain and accidentally initialize it to empty value. Having the encode call fail would be safer.

This would technically be a breaking API change and there might be intentional calls with empty secret such as in tests, but I think those would be easy to swap to another non-empty test string.