/login endpoint should return the token in the body of the response

[dseevr]

Rather than in a response header