Mongoose: Remove password field from query results

Updated: December 30, 2023 By: Guest Contributor Post a comment


When developing applications that involve user data, particularly with databases, it’s crucial to handle sensitive information such as passwords with utmost care. In MongoDB, with the help of Mongoose, a tool that enables object data modeling (ODM) and simplified interaction with MongoDB, it is possible to structure queries to exclude specific fields, like passwords, from query results. This practice enhances security and privacy by preventing the unintentional exposure of sensitive fields in your application’s frontend or APIs.

In this tutorial, we will explore a variety of techniques to ensure that the password field is consistently excluded from Mongoose query results. These methods will progress from basic to advanced scenarios involving different query types and the use of middleware.

Basic Query Modifications

To start, let’s consider a basic example where we directly tell Mongoose to exclude the password field when querying.

const User = mongoose.model('User', new mongoose.Schema({
    username: String,
    password: String,
    // other fields...

const findUserWithoutPassword = async (username) => {
    return await User.findOne({ username }, '-password');

In this code block, the syntax '-password' is what instructs Mongoose to exclude the password field from the results. The hyphen - prefix indicates an exclusion.

Using Projection

Mongoose supports the use of projection in queries as well, which is another straightforward to provide guidelines on fields to be included or excluded from query results. Here’s how to use projection for field exclusion:

const findUserWithoutPasswordProjection = async (username) => {
    return await User.findOne({ username }, { password: 0 });

A 0 next to the field name within the projection object indicates that the field should not be included in the output.

Query Wrapper Function

Creating a wrapper function for your queries can abstract away the need for developers to remember to exclude the password on every query ever written.

const safeFindOne = async (username) => {
    return await User.findOne({ username }).select('-password').exec();

The .select('-password') call chain is attached to the query, again ensuring the password field is not included in the result.

Schema Level Defaults

You can also go further by defining default projection settings at the schema level.

const userSchema = new mongoose.Schema({
    username: String,
    password: { 
        type: String, 
        select: false 
    // other fields...

// Applying the schema to the User model
const User = mongoose.model('User', userSchema);

// Now every query will exclude password by default
const user = await User.findOne({username}).exec();

With the select: false option in the schema, all queries through this model will omit the password field unless explicitly added back in with .select('+password').

Advanced Query Handling with Middleware

To even more tightly control the output of query results, you can use Mongoose Middleware, also known as Hooks. We can use the post hook to speak to every find-type action after the query executed.

const hidePasswordField = (doc) => {
    if (doc && doc.password) {
        delete doc.password;
};'find', hidePasswordField);'findOne', hidePasswordField);'findOneAndUpdate', hidePasswordField);

With middleware in place, regardless of how and where your queries are executed, any returned documents will automatically have their password field stripped off in the result. But beware, this strategy could lead to issues with hooks firing multiple times under certain conditions.

Test Your Implementation

All variations above can ensure the omission of sensitive fields. However, testing this feature is as important as implementing it to safeguard against accidental data exposure.

describe('User model query tests', () => {
    it('should not include the password field', async () => {
        const user = await findUserWithoutPassword('username_example');

Consistent testing will confirm that regardless of updates and changes to the code, privacy protocols regarding user data remain intact.


Throughout this article, we reviewed the importance of safeguarding user passwords in any application; exploring various methods with which to leverage Mongoose ODM features to exclude sensitive fields, specifically password fields, from query results in MongoDB. Starting with basic projections to implementing schema default configurations, and further enhancing control with middleware, it is clear that these practices are vital and apply to different layers of application development.

Whether you are a novice developer just starting out or an advanced engineer architecting a large-scale application, ensuring adequate privacy controls are built-in from the outset should be a foundational piece of your software development ethos.