fix(GraphQL): Remove "password" output field from _User class (#5889)

Author: douglasmuraoka

spec/ParseGraphQLServer.spec.js

@@ -765,6 +765,21 @@ describe('ParseGraphQLServer', () => {
           })).data['__type'].fields.map(field => field.name);
           expect(userFields.indexOf('foo') !== -1).toBeTruthy();
         });
+
+        it('should not contain password field from _User class', async () => {
+          const userFields = (await apolloClient.query({
+            query: gql`
+              query UserType {
+                __type(name: "_UserClass") {
+                  fields {
+                    name
+                  }
+                }
+              }
+            `,
+          })).data['__type'].fields.map(field => field.name);
+          expect(userFields.includes('password')).toBeFalsy();
+        });
       });
 
       describe('Configuration', function() {

src/GraphQL/loaders/parseClassTypes.js

@@ -213,6 +213,12 @@ const getInputFieldsAndConstraints = function(
   } else {
     classOutputFields = classCustomFields;
   }
+  // Filters the "password" field from class _User
+  if (parseClass.className === '_User') {
+    classOutputFields = classOutputFields.filter(
+      outputField => outputField !== 'password'
+    );
+  }
 
   if (allowedConstraintFields) {
     classConstraintFields = classCustomFields.filter(field => {