fallback on `hash_application_secrets` does not upgrade secret when accessed

[zoeoverthere]

The Doorkeeper docs outline that, similar to access grants and access tokens, you can choose to encrypt application secrets and if you do this with existing applications, it will "upgrade" your secrets to be encrypted when they are accessed.

To enable plain values to be found and upgraded (to your active strategy, SHA256 by default) when it is accessed, you may use the following statement: hash_application_secrets fallback: :plain

I implemented this in my service and realized it does not use the upgrade path like access tokens and grants does. The method find_by_plaintext_token that eventually calls upgrade_fallback_value in SecretsStorable is only called in the AccessGrantMixin and AccessTokenMixin, not the ApplicationMixin. This difference in upgrading is also shown in tests between the types.

It's possible this could be checked in secret_matches? for an application in ApplicationMixin here.