Default the "watchlisttoken" value to a derived HMAC value
* This got created if unset on API or GUI preferences access,
which leads to writes on GET requests. Try to avoid that
deriving it from user_token, unless overriden. This also
means that changing the password always resets the key,
which is how these things work on most sites anyway.
* The whole getTokenFromOption() method is deprecated, and
this functionality is already in OAuth.
Bug: T92357
Change-Id: I96c0d6f6e535e67545049f01205430249eea8da0