0

I have a mongoose schema like this

const UserSchema = new mongoose.Schema({
    name: {
        type: String,
        required: true
    },
    password: {
        type: String,
        required: true,
    }
});

mongoose.model('User', UserSchema);

lets say we have a /user/me route that gives the users their data if they are authenticated.

what would be the best way to prevent the password to be send to each user through an API request ? shall i remove the field from the object that i retrieve from the database ? or there are other ways to handle it better ?

P.S: I'm looking for the best way to handle it, not how to do it

kouroshtajalliepour
  • 31
  • 6
  • Do you need the password field? What exactly do you want to do with that route? And also do you hash the passwords? Also you should look into authenticating each user with a session so only the user can view his password. – Fabio Jul 16 '21 at 00:28
  • yes i do these things i want to prevent the hashed password to be send through the api request even to the users themselves for more security. – kouroshtajalliepour Jul 16 '21 at 03:31
  • Then you could just remove it from the JSON Object you return to the user. To see how to do that look at this answer: https://stackoverflow.com/a/1219633/4857298 – Fabio Jul 17 '21 at 14:01

0 Answers0