Allow Feed token to be empty (and default to empty)

Proposal

Currently Feed tokens are generated when a new account is created. If a user never uses the feed though, this token is created without needing to exist, and without the users knowledge. If that user is then part of a sensitive group/project and accidentally exposes the token, say via a live streamed YouTube video, that token can then be used to access the projects activity feed as that user.

There is the possibility to increase security here by defaulting these tokens to an empty value and disabling the feed URLs if a token hasn't been set. These tokens could then be created by the user, if they wish to make use of the feeds.

A further possible enhancement could be to move, or add, feed token scopes to the existing Personal Access Tokens, so that they also include future improvements to that feature, such as expiration dates.

(rough) Implementation plan

• If the feed token is empty, don't include the RSS feed URL in the HAML
• Default the feed token to '' when creating a new user
• Add a message to the Access Tokens page when the feed token is empty, and include a link to the existing reset this token route