Treat browser tokens and service tokens separately

[neelvirdy]

1. Browser tokens obtained via login should not appear on the API keys page. They should not be revokable through that UI - and should instead be revoked only via sign out
2. You should not be able to authenticate with an API key. Instead you must login with username/password to get a browser token, which will be revoked on signout. Browser tokens should not be treated like service tokens, which are created via the API keys page, and vice versa

• this prevents you from revoking your session's token via the API key page
• it also prevents you from setting up a token for a service that is also used for your browser session, and then signing out and causing that service token from being unintentionally revoked

cc @jimmylee

[jimmylee]

Let me process what you're saying and get back to you. FYI: When we lift the invite code requirement we'll be doing Rainbow/Metamask auth anyway so we may achieve this without having to focus on it now. API keys will be their own thing and associated to the ETH/FIL address the user authenticates with.

[en0ma]

@neelvirdy @jimmylee now that I better understand @neelvirdy proposal, it makes sense. I agree about this separation, its the ideal approach. Thanks for working on this @neelvirdy