Description of problem:

When user with `create_flatpak_remotes`permission creates a remote with some username and authentication token, the token can be retrieved by anyone with the `view_flatpak_remotes` permission.

How reproducible:

always

Is this issue a regression from an earlier version:

no

Steps to Reproduce:

1. create a flatpak remote with username and permission

2. read the remote via API:

$ curl -sku lojza:changeme -H "Content-type: application/json" -X GET https://satellite.redhat.com/katello/api/flatpak_remotes/1 | jq

Actual behavior:
{
  "name": "CUzimMsarr",
  "url": "https://flatpaks.redhat.io/rhel/",
  "description": null,
  "username": "1234567|wonderful-tokenauth",
  "token": "DyHkcJ5hKi....

Expected behavior:
token shouldn't be returned

Business Impact / Additional info: