security: Hide token by default, add show link/button to expose

[ElijahLynn]

Was just on a screenshare showing my team my settings and it exposed most of my token.

I propose that we hide the token by default, and add a show link or button to expose when needed.

[notlmn]

I can't find the issue where this was originally discussed but the idea was for this to not give a false sense of security where we store the token in a secure way (hash and salted or something similar for storing secrets).

Anyone that has access to the machine can retrieve the token from browsers storage easily. The input type used here reflects that behavior and instead makes the token input wide enough to not display the entire token in a single go.

[notlmn]

Found that the discussion was in a different (but related) repo - refined-github/refined-github#1374 (comment)

[ElijahLynn]

Okay, but exposing it accidentally, even partially, on a screenshare is not good. The availability of a "show" button would accomplish that goal. I see that was discussed and I think this should be revisited, and reopened.