logins: don't return api_token field in API.

Remove the api_token field from the response to the login action (POST
/sessions). This doesn't make sense in the presence of multiple API
keys, and is also not generally useful; if you need an API key, create
one yourself and write it down.

CHANGELOG.md

@@ -14,6 +14,8 @@
   you're highly encouraged to restrict your API keys to limit damage in case
   they get leaked or stolen.
 
+* The login action (POST /sessions) no longer returns the api_token field.
+
 ## 2021-02-05
 
 ### Changes

app/controllers/sessions_controller.rb

@@ -15,7 +15,7 @@ class SessionsController < ApplicationController
 
     if user
       url = posts_path unless url&.start_with?("/")
-      respond_with(user, location: url, methods: [:api_token])
+      respond_with(user, location: url)
     else
       flash.now[:notice] = "Password was incorrect"
       raise SessionLoader::AuthenticationFailure

app/models/user.rb

@@ -559,11 +559,6 @@ class User < ApplicationRecord
         neutral_feedback_count negative_feedback_count
       ]
     end
-
-    # XXX
-    def api_token
-      api_keys.first.try(:key)
-    end
   end
 
   module CountMethods