These are chat archives for Automattic/mongoose

20th
Nov 2015
iSayme
@isayme
Nov 20 2015 06:18
@jeroenrinzema in my env, it works as expected.
Erinç Fırtına
@EricMcRay
Nov 20 2015 15:00
how can i use path’s get & set methods for embeded array ?
Diego Aguilar Aguilar
@diegoaguilar
Nov 20 2015 17:27
Hello, what's proper way to avoid an schemaModel.toString() logs password field
or console.log(model) log password too
Diego Aguilar Aguilar
@diegoaguilar
Nov 20 2015 17:42
it's not to deselect password in queries but to avoid console.log and JSON.stringify to output it
Luke A. Greenleaf
@gishmel
Nov 20 2015 17:46
you can do a pre-fetch step that projects the password field out of the query
Diego Aguilar Aguilar
@diegoaguilar
Nov 20 2015 18:19
I don't understand @gishmel
Diego Aguilar Aguilar
@diegoaguilar
Nov 20 2015 21:21
@vkarpov15 any suggestion? :)
I've submitted a post on SO
Valeri Karpov
@vkarpov15
Nov 20 2015 22:33
@diegoaguilar you can use select: false: http://mongoosejs.com/docs/api.html#schematype_SchemaType-select . My preferred approach though is to just have a separate collection of passwords which have a parent pointer to the user that this is the password hash for. This way, you need to try really hard to shoot yourself in the foot and expose the password hash, and you typically only need the password hash in two routes
Diego Aguilar Aguilar
@diegoaguilar
Nov 20 2015 22:33
@vkarpov15 but I do want to get password from Mongo,
but also, I'd like to declare at schema the consecuent drop of password field
when logging
it's not like I want to do db.users.find({gitterName: "@vkarpov15"}, {password: false})
Valeri Karpov
@vkarpov15
Nov 20 2015 22:37
You can declare select at the schema level too, so password will be de-selected unless you explicitly specify it
I still prefer the separate collection approach though
I tend to be pretty Hobbesian when it comes to password security
Diego Aguilar Aguilar
@diegoaguilar
Nov 20 2015 22:48
yeah I understand that @vkarpov15
how's this schema leve deselect
?