[security] api: don't show mail password and sensible login data

We don't need to access the mail password via javascript,
same applies for login username and hashed password.
More restriction should be considered.

Change-Id: Iceaa00f6c26987a4aedd65621d2199e9146b62d1

Author: andi34

api/config.php

@@ -2,5 +2,12 @@
 header('Content-Type: application/javascript');
 
 require '../lib/config.php';
+
+// Override secret configuration we don't need acces from javascript for
+$config['mail']['password'] = 'secret';
+$config['login']['username'] = 'secret';
+$config['login']['password'] = 'secret';
+
 ?>
-const config = <?= json_encode($config) ?>;
+const config = <?= json_encode($config) ?>;
+