Hide verificationToken

We should never be showing this publically.

Adds unit test for hiding verification token.

This is a back-port of pull request #1851 from gausie/patch-4

common/models/user.json

@@ -32,7 +32,7 @@
   "options": {
     "caseSensitiveEmail": true
   },
-  "hidden": ["password"],
+  "hidden": ["password", "verificationToken"],
   "acls": [
     {
       "principalType": "ROLE",

test/user.test.js

@@ -1320,6 +1320,12 @@ describe('User', function() {
         });
       });
 
+      it('should hide verification tokens from user JSON', function(done) {
+        var user = new User({email: 'bar@bat.com', password: 'bar', verificationToken: 'a-token' });
+        var data = user.toJSON();
+        assert(!('verificationToken' in data));
+        done();
+      });
     });
 
     describe('User.confirm(options, fn)', function() {