RE: Limit user search fields

@dan Gotcha! Thanks for pointing that out in the docs. I think for now I will handle limiting the search in my app's business logic because I can't justify the Elasticsearch overhead just yet - but I'll keep the option in mind. Thank you!

Oh my gosh I figured it out... For the /api/login endpoint to generate refresh tokens, you need to enable Application > My application > Security tab > Generate refresh tokens under the Login API settings. D'oh!

The previous Generate refresh tokens setting I had enabled was under the OAuth tab. Oops!

Thanks for taking a look Dan!

Follow-up: I think it would be helpful to update the docs for /api/login to indicate this