CODEWITHSUNDEEP
node.jsmongoose
cphilpot
cphilpot

Reputation: 1225

mongoose schema contains entire DB object instead of defined schema object

I'm using two schemas for users. One that contains the password/salt, one that doesn't for returning to the front end. When I use the model that uses the schema WITHOUT the password, it still returns the password :/

Generic User (For sending to the client)

module.exports = {    
    username: String,
    email: String,
    firstName: String,
    lastName: String,
    createdOn: Date,
    updatedOn: Date,
    scopes: [String]
}

Auth User (for creating/updating/authenticating users)

module.exports = {    
    username: String,
    email: String,
    password: String,
    salt: String,
    firstName: String,
    lastName: String,
    createdOn: Date,
    updatedOn: Date,
    scopes: [String]
}

Creating the models with

var modelInstance = mongoose.model("authUser", authUserSchema, 'users')

(in a different file)

var modelInstance = mongoose.model("user", userSchema, 'users')

modelInstance is exported with module.exports = modelInstance;

Update This question answers mine. How to protect the password field in Mongoose/MongoDB so it won't return in a query when I populate collections?

Upvotes: 2

Views: 196

Answers (1)

Brenn
Brenn

Reputation: 1384

You don't have a clear question, but I guess you are asking if you can restrict it. The answer is 'no' by default.

There is a plugin for this: https://www.npmjs.com/package/mongoose-strictmodel But it's really out of date.

It's easy enough though to create a wrapper function:

function safeUser(userModel) {
  return {
    username: userModel.username,
    email: userModel.email,
    firstName: userModel.firstName,
    lastName: userModel.lastName,
    createdOn: userModel.createdOn,
    updatedOn: userModel.updatedOn,
    scopes: userModel.scopes
  }
}

Upvotes: 0

Related Questions