findOne with typo returns arbitrary document instead of null

[florianwalther-private]

Prerequisites

• I have written a descriptive issue title

Mongoose version

6.2.9

Node.js version

16.13.2

MongoDB version

5.0.10

Operating system

Windows

Operating system version (i.e. 20.04, 11.3, 10)

10

Issue

When I use Mongoose's findOne with a filter that uses a non-existing key, the query returns an arbitrary document (probably the first one in the collection). This can cause some devastating bugs. Why does Mongoose behave this way and is there a way to avoid this? When the key/value combination in the filer doesn't exist, I would expect the query to return no result.

Example:

const googleSignupToken = await GoogleSignupToken.findOne({ token: token }).exec();

when I accidentally filtered with { tokenId: token } (tokenId doesn't exist as a key on this schema), it returned the wrong document.

[florianwalther-private]

Just found the answer on Stackoverflow. Looks like we need to disable strict query. To be honest, I'm surprised about this default behavior. It can cause some pretty devastating bugs simply by adding a typo to the key of a query.

https://stackoverflow.com/questions/70456923/mongoose-findone-and-find-return-invalid-values-when-they-should-return-nul?noredirect=1&lq=1

[vkarpov15]

@florianwalther-private we agree re: causing serious bugs due to typos. That's why we have #11861 open for our next major release.