search

hoangvvo / nextjs-mongodb-app

A Next.js and MongoDB web application, designed with simplicity for learning and real-world applicability in mind.
https://nextjs-mongodb.now.sh/
MIT License
1.54k stars 289 forks source link

Use MongoDB projection to hide sensitive fields #130

Closed hoangvvo closed 3 years ago

hoangvvo commented 3 years ago

Earlier, we are relying on a util function call extractUser which returns that input object but with password, email, etc. omitted. However, this is not ideal since it is possible that we forget to wrap a user object with it at some point.

Therefore the solution is to use MongoDB projection to omit the fields right from the db requests.

I marked certain functions "UNSAFE" just because they contain sensitive information, not because it is unsafe for any reason. One only need to be careful when using these.

changeset-bot[bot] commented 3 years ago

⚠️ No Changeset found

Latest commit: 02d607f6cd5e855033d61c2dc5f024643914896a

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

vercel[bot] commented 3 years ago

This pull request is being automatically deployed with Vercel (learn more).
To see the status of your deployment, click below or on the icon next to each commit.

🔍 Inspect: https://vercel.com/hoangvvo/nextjs-mongodb-app/Czq4N2CzyphN7RmDVPsrMuFbjNXP
✅ Preview: https://nextjs-mongodb-app-git-security-projection-remo-3ea006-hoangvvo.vercel.app