Auth token keys should not be the primary key

[benwilber]

Auth tokens should not be the primary key because they are visible in the URL when you visit them in the Django admin. This means that auth tokens are being leaked in access logs of any web server/proxy between the user and the application server

Checklist

• [* ] I have verified that that issue exists against the master branch of Django REST framework.
• [* ] I have searched for similar issues in both open and closed tickets and cannot find a duplicate.
• [* ] This is not a usage question. (Those should be directed to the discussion group instead.)
• [ *] This cannot be dealt with as a third party library. (We prefer new functionality to be in the form of third party libraries where possible.)
• [* ] I have reduced the issue to the simplest possible case.
• I have included a failing test as a pull request. (If you are unable to do so we can still accept the issue.)

Steps to reproduce

Go to the auth token admin and observe that the key is leaked in the URL

Expected behavior

Key is not leaked in the URL

Actual behavior

Key is leaked in the URL

[tomchristie]

Yup, agreed. Main consideration would be how best to migrate to something new.

[carltongibson]

Duplicate of #6131. (PRs still welcome: shouldn't be too hard...)