As yet I don't understand the login process using the users plugin :
With this plugin you can pass a username and key (without the user's password) and it returns a new token.
How do you include the user's password as a param?
On this topic I think there is a least one bug in login.php on line 73
'userid' => $user->id,
should be ?
'userid' => $id,
Otherwise it create a new key for the original key owner not the user associated with the username you have passed?