Password should not be assigned to token

In auth controller, payload has password as well, which is not required as it can compromise the security of the server. It is hashed but still it is a good practice to not assign password in the payload.