Prevent access to confirmation_token and reset_password_token via GraphQL API

Those tokens do not need to be exposed to authenticated users, not even admin users.

Fixes #1761

lib/graphql/schema/user.ex

@@ -40,16 +40,10 @@ defmodule Mobilizon.GraphQL.Schema.UserType do
       description: "The datetime the last activation/confirmation token was sent"
     )
 
-    field(:confirmation_token, :string, description: "The account activation/confirmation token")
-
     field(:reset_password_sent_at, :datetime,
       description: "The datetime last reset password email was sent"
     )
 
-    field(:reset_password_token, :string,
-      description: "The token sent when requesting password token"
-    )
-
     field(:feed_tokens, list_of(:feed_token),
       resolve:
         dataloader(