Tighten Up MongoDB Queries
When the Node w/ MongoDB variation shows a User
, it also shows their salt
and hash
fields. This could be a security concern and I was looking for a way
to exclude these fields. When writing a MongoDB query by hand, you can specify
which fields you’re interested in. But I’m using Mongoose as a layer between
the application and the database, and I wanted to find out what support it might
have for these projections.
I can pass the raw projection in the calls to Mongoose:
User.find({}, { salt: -1, hash: -1 })
But Mongoose also supports a string version for it:
User.find({}, "-salt -hash")
The Mongoose documentation mentions Query.select(). I find this last form a nice mix of simpler Mongoose notation while not as cryptic as an unnamed second parameter.
User.find({}).select("-salt -hash")
This works fine for queries, but what about mutations? When I create or update
a User
, I get the full object back. I looked for a simple way to filter out
the salt
and hash
fields. In the end, I had to rely on a global Express
setting named json replacer
to redact these fields on all rendered JSON.