logins: don't return api_token field in API.

Remove the api_token field from the response to the login action (POST
/sessions). This doesn't make sense in the presence of multiple API
keys, and is also not generally useful; if you need an API key, create
one yourself and write it down.

app/models/user.rb

@@ -559,11 +559,6 @@ class User < ApplicationRecord
         neutral_feedback_count negative_feedback_count
       ]
     end
-
-    # XXX
-    def api_token
-      api_keys.first.try(:key)
-    end
   end
 
   module CountMethods