Closed
Description
say you have an User model:
const User = mongoose.model('User', new mongoose.Schema({
name: String,
password: String,
}));normally you want to never expose the password, under any circumstances, so you'd normally do:
restify.serve(router, User, {
private: ['password'],
})Now this works with hitting any endpoint:
GET /User does not show the fields
GET /User/some-id also does not show the password
HOWEVER:
GET /User?distinct=password shows ALL passwords for ALL users in the database ...
This is a huge security concern