[basic-auth] Handle password field in Admin API responses

[thibaultcha]

The password field in a credential should be better handled in the Admin API responses:

• since it is hashed, it does not really make sense to include it in a response to any request. What would be best? Simply hide it?

{
    "consumer_id": "cafba26f-11a5-4030-c0ab-1bf5c7e0a8f6",
    "created_at": 1449177586000,
    "id": "42a8f2b0-aaf2-49da-c9df-3108fc824447",
    "username": "[email protected]"
}

This could be confusing to users. Another solution would be to include it with a value like *****?

• when creating a credential without a password, the password is auto-generated. But the answer to that request should include the password, otherwise the Consumer never knows the password that was chosen. 2 solutions: disable password auto-generation, or show the plain password ONLY on a result from POST/PUT.

[subnetmarco]

Simply hide it

Some properties of SSL should also not be displayed in the API response. Maybe introducing private = true in the schema?

[thibaultcha]

I think it makes sense to allow hiding some properties for some plugins. I am not entirely sure about this one tho, as users could think a Consumer does no have a password set when they see such a response.

[Tieske]

See #800 . I left the password field as is, does no harm and doesn't change the response for backward compatibility. The plain text password is only added upon inserting a random generated password in the db. Both fields should be updated in the docs imo.