Fix: CVE-2026-39912 - Magic link token leak in loginWithMailLink (#873)

The loginWithMailLink endpoint returns the magic login link in the
HTTP response body, allowing unauthenticated account takeover.

The fix returns true instead of the link. The email delivery is
the authentication factor.

Bug inherited from V2Board commit bdb10bed (2022-06-27).

app/Services/Auth/MailLinkService.php

@@ -46,7 +46,7 @@ class MailLinkService
 
         $this->sendMailLinkEmail($user, $link);
 
-        return [true, $link];
+        return [true, true];
     }
 
     /**