Don't store authentication credentials in $XDG_CONFIG_HOME

[rpdelaney]

hub stores an oauth token in $HOME/.config/hub/. This behavior is a deviation from the XDG directory standard with serious security implications. XDG_CONFIG_HOME is intended to store configuration files only, which means many users may accidentally back up this sensitive data via insecure means to insecure locations.

A much better place to put passwords and cryptographic keys would be in $XDG_DATA_HOME (on my system this is /home/ryan/.local/share).

Further reading: https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html

[rwe]

If there's a security label in this repo, that should be applied to this issue rather than feature. As a user, I sync almost all of my XDG_CONFIG_HOME files between devices. ~/.config/hub is one of the few I need to exclude, because it embeds secrets in that file.