only send refresh token if it is not a user auth token

Author: mdtro

src/sentry/api/serializers/models/apitoken.py

@@ -1,5 +1,6 @@
 from sentry.api.serializers import Serializer, register, serialize
 from sentry.models.apitoken import ApiToken
+from sentry.types.token import AuthTokenType
 
 
 @register(ApiToken)
@@ -31,7 +32,9 @@ def serialize(self, obj, attrs, user, **kwargs):
             include_token = kwargs.get("include_token", True)
             if include_token:
                 data["token"] = obj._plaintext_token
-                data["refreshToken"] = obj._plaintext_refresh_token
+
+                if not obj.token_type == AuthTokenType.USER:
+                    data["refreshToken"] = obj._plaintext_refresh_token
 
         """
         While this is a nullable column at the db level, this should never be empty. If it is, it's a sign that the