logins: don't return api_token field in API.

Remove the api_token field from the response to the login action (POST
/sessions). This doesn't make sense in the presence of multiple API
keys, and is also not generally useful; if you need an API key, create
one yourself and write it down.

app/controllers/sessions_controller.rb

@@ -15,7 +15,7 @@ class SessionsController < ApplicationController
 
     if user
       url = posts_path unless url&.start_with?("/")
-      respond_with(user, location: url, methods: [:api_token])
+      respond_with(user, location: url)
     else
       flash.now[:notice] = "Password was incorrect"
       raise SessionLoader::AuthenticationFailure