Simple filtering and denormalization for Mongoose.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.


Simple filtering and denormalization for Mongoose. Useful for REST APIs where you might not want to send entire objects down the pipe. Allows you to store sensitive data directly on objects without worrying about it being sent to end users.


npm install mongoose-filter-denormalize


mongoose <= v3.4

Filter Usage

Filtering functionality is provided via a schema plugin.


var filter = require('mongoose-filter-denormalize').filter;
var ObjectId = mongoose.Schema.ObjectId;
var UserSchema = new Mongoose.schema({
  name            :   String,
  address         :   String,
  fb              :  {
      id              :   Number,
      accessToken     :   String
  writeOnlyField  :   String,
  readOnlyField   :   String
UserSchema.plugin(filter, {
  readFilter: {
      "owner" : ['name', 'address', '', '', 'readOnlyField'],
      "public": ['name', '']
  writeFilter: {
      "owner" : ['name', 'address', '', 'writeOnlyField']
  // 'nofilter' is a built-in filter that does no processing, be careful with this
  defaultFilterRole: 'nofilter',
  sanitize: true, // Escape HTML in strings
  compat: true // Enable compatibility for Mongoose versions prior to 3.6 (default false)

Example Read

User.findOne({name: 'Foo Bar'}, User.getReadFilterKeys('public')), function(err, user){
  if(err) return next(err);
  res.send({success: true, users: [user]});

Example Write

User.findById(, function(err, user){
  if(err) next(err);
  if( !== next(403);
  user.extendWithWriteFilter(inputRecord, 'owner');  // Similar to jQuery.extend(), user){
      if(err) return next(err);
      user.applyReadFilter('owner'); // Make sure the doc you return does not contain forbidden fields
      res.send({success: true, users: [user]});


  • readFilter (Object): Object mapping filtering profiles to string arrays of allowed fields. Used when reading a doc - useful for GET queries that must return only selected fields.
  • writeFilter (Object): As above, but used when when applied during a PUT or POST. This filters fields out of a given object so they will not be written even when specified. Useful for protected attributes like fb.accessToken.
  • defaultFilterRole (String)(default: 'nofilter'): Profile to use when one is not given, or the given profile does not exist.
  • sanitize (Boolean)(default: false): True to automatically escape HTML in strings.
  • compat (Boolean)(default: false): True to enable compatibility with Mongoose versions prior to 3.6


This plugin adds the following statics to your schema:

  • getReadFilterKeys(filterRole)
  • getWriteFilterKeys(filterRole)
  • applyReadFilter(input, filterRole)
  • applyWriteFilter(input, filterRole
  • _applyFilter(input, filterKeys) // private helper
  • _getFilterKeys(type, filterRole) // private helper


This plugin adds the following methods to your schema:

  • extendWithWriteFilter(input, filterRole)
  • applyReadFilter(filterRole) // convenience method, calls statics.applyReadFilter
  • applyWriteFilter(filterRole) // convenience method, calls statics.applyWriteFilter

Denormalize Usage

Denormalization functionality is provided via a schema plugin. This plugin has support for, but does not require, the filter.js plugin in the same package.


var denormalize = require('mongoose-filter-denormalize').denormalize;
var ObjectId = mongoose.Schema.ObjectId;
var UserSchema = new Mongoose.schema({
  name            :   String,
  transactions    :   [{type:ObjectId, ref:'Transaction'}],
  address         :   {type:ObjectId, ref:'Address'},
  tickets         :   [{type:ObjectId, ref:'Ticket'}],
  bankaccount     :   {type:ObjectId, ref:'BankAccount'}

// Running .denormalize() during a query will by default denormalize the selected defaults.
// Excluded collections are never denormalized, even when asked for.
// This is useful if passing query params directly to your methods.
UserSchema.plugin(denormalize, {defaults: ['address', 'transactions', 'tickets'],
                                exclude: 'bankaccount'});


// Create a query.
// The 'conditions' object allows you to query on denormalized objects!
var opts = {
  refs: ["transactions", "address"],    // Denormalize these refs. If blank, will use defaults
  filter: "public";                     // Filter requires use of filter.js and profiles
  conditions: {
    address: {city : {$eq: "Seattle"}}  // Only return the user if he is in Seattle
User.findOne({name: 'Foo Bar'}).denormalize(opts).run(function(err, user){
  if(err) next(err);
  res.send({success: true, users: [user]});


  • exclude (String[] or String): References to never denormalize, even when explicitly asked Use this when generating refs programmatically, to prevent unintended leakage.
  • defaults (String[] or String): References to denormalize when called without options. Defaults to all refs (except those in 'exclude'). Useful to define this if you have hasMany references that can easily get large.
  • suffix (String): A suffix to add to all denormalized objects. This is not yet supported in Mongoose but hopefully will be soon. E.g. a suffix of '_obj' would denormalize the story.comment object to story.comment_obj, leaving the id in story.comment. This is necessary for compatibility with ExtJS.


If you are building your array of refs to denormalize programmatically, make sure it returns an empty array if you do not want it to denormalize - falsy values will cause this plugin to use defaults.