Per this api announcement tokens should be fetched through action=query&meta=tokens&type=login rather than hitting action=login and checking for a NeedToken response.
This is handled by LoginManager in data/api.py
The current method still works but triggers an API warning.