update login flow to use CKAN passwordless_api plugin

• Using httpOnly cookie with API token.
• No references to cookie in frontend JS code.
• API token extracted from cookie by proxy middleware and placed in Authorization headers.