Password isn't removed from responses when using a mongoose service for users endpoint #19
Comments
|
Ah man, this bullshit again... totally fair point. That's such a shitty gotchya though. |
|
Should the adapter just always convert the Mongoose models to objects by default for the next version (and hide the old behaviour behind a flag)? |
|
No, because there are times when you want the actual model. I would say it's that about 50% of the time you want the object and the other 50% end up wanting the model. Again, maybe we can throw an error possibly?? |
|
How would you throw an error? I guess the hook in this plugin could just check if you're getting a Mongoose Model and convert it. |
|
Yeah it's just something that can be converted in the hook, can submit a PR for |
|
Are there other cases with other ORM's that we should handle as well? |
|
@corymsmith nothing that I have seen so far but I haven't tried auth yet with the other ORMs. Mongoose seems to be the only one that returns a collection of models instead of the raw documents. |
|
I think Sequelize is returning an array of models, too but you can delete properties so it should be fine. |
Since the user object returned is a Mongoose model,
delete data.password;doesn't remove the password.The text was updated successfully, but these errors were encountered: