Wrap console session tokens and access tokens in `secrect::SecretString` or similar

[inickles]

What

The console session token should be in a type that will zeroize the memory when it is dropped, so that it isn't at risk of accidental exposure due to something like Heartbleed, and that will obscure derived Debug impls, so it isn't accidentally logged. The secrecy crate provides a type to make handling a little easier, which is already a dependency in omicron, though it's not a hard requirement in case something else is desired.

omicron/nexus/src/app/session.rs

Line 24 in 5cfd735

fn generate_session_token() -> String {

omicron/nexus/db-model/src/device_auth.rs

Line 61 in 74a5c0c

fn generate_token() -> String {

Notes

A couple things I noticed:

1. the public ConsoleSession type can't exactly just swap token: String for token: SecretString, because the latter can't be used for deriving diesel::Insertable.
2. ConsoleSession is used for other things that the database insert, such as session update. I presume that only the update operation would need a type that has the actual session token secret, while other operations such as update would only need to reference a session via a non-secret identified, which was brought up in Include tracking metadata with internal storage of user credentials #7818.

omicron/nexus/db-model/src/console_session.rs

Lines 11 to 18 in 74a5c0c

	#[derive(Queryable, Insertable, Clone, Debug, Selectable)]
	#[diesel(table_name = console_session)]
	pub struct ConsoleSession {
	pub token: String,
	pub time_created: DateTime<Utc>,
	pub time_last_used: DateTime<Utc>,
	pub silo_user_id: Uuid,
	}

I imagine the above is true for the access tokens as well.