From 3798a2d29edd228f2eed6642fbf5e18c65c84b9b Mon Sep 17 00:00:00 2001
From: evazion <noizave@gmail.com>
Date: Mon, 15 Feb 2021 14:22:59 -0600
Subject: [PATCH] logins: don't return api_token field in API.

Remove the api_token field from the response to the login action (POST
/sessions). This doesn't make sense in the presence of multiple API
keys, and is also not generally useful; if you need an API key, create
one yourself and write it down.
---
 CHANGELOG.md                           | 2 ++
 app/controllers/sessions_controller.rb | 2 +-
 app/models/user.rb                     | 5 -----
 3 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 65af90f62..3b17509c0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,6 +14,8 @@
   you're highly encouraged to restrict your API keys to limit damage in case
   they get leaked or stolen.
 
+* The login action (POST /sessions) no longer returns the api_token field.
+
 ## 2021-02-05
 
 ### Changes
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index 56d17a4e1..09b008457 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -15,7 +15,7 @@ class SessionsController < ApplicationController
 
     if user
       url = posts_path unless url&.start_with?("/")
-      respond_with(user, location: url, methods: [:api_token])
+      respond_with(user, location: url)
     else
       flash.now[:notice] = "Password was incorrect"
       raise SessionLoader::AuthenticationFailure
diff --git a/app/models/user.rb b/app/models/user.rb
index 6a50b10ba..2c22b0557 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -559,11 +559,6 @@ class User < ApplicationRecord
         neutral_feedback_count negative_feedback_count
       ]
     end
-
-    # XXX
-    def api_token
-      api_keys.first.try(:key)
-    end
   end
 
   module CountMethods