Oftentimes, when building the user’s endpoint in a REST API (typically, /me or /home), you’d want to only expose a subset of the fields stored in the database table or collection. Specifically, you’d need to hide sensitive fields including the password hash, as well as meta data such as the version key, from the server response. In Mongoose, there are several ways to achieve that.

First, you could pass a string with space-separated fields to the select() method on the model, effectively whitelisting the fields to be queried. Alternatively, you could blacklist certain fields in select() by prepending them with a dash, or using exclude() instead. Yet another approach would be to hook into the schema options with the set() method. One option is toJSON which gets invoked when the toJSON method is invoked on the document. Keep in mind that this approach won’t work if you tack on lean() on the query, as this will return a POJO (plain-old JavaScript object) rather than a Mongoose document. If you prefer to fetch a POJO for better performance, you can list the fields in either select() or exclude().

#mongoose