exclude column form selection (Hidden Columns) @select(false)

[satishbabariya]

Problem

How can i exclude certain column form select query overall like Password in the User Model.

Currently i'm using @Column({ select: false }) in typeorm.
ref: https://github.com/satishbabariya/nodejs-boilerplate/blob/master/src/models/User.ts#L37

Is ther any way to do this in prisma2? like

model User {
  id       Int    @default(autoincrement()) @id
  email    String @unique
  password String @select(false)
}

reference of TypeORM: https://typeorm.io/#/select-query-builder/hidden-columns

[pantharshit00]

Related: https://github.com/prisma/prisma/issues/2173

[schickling]

Related: https://github.com/prisma/specs/issues/459

[un33k]

@satishbabariya Thank you for raising this ticket.

For now I have to omit them painstakingly like

export type UserWhereInput = Omit<Prisma.UserWhereInput, 'password' | 'isActive'>;

Note that password and isActive have lost types here in the above line. :(

Looking forward to this feature available with the preview flag.

[akomm]

I can't express how important this feature is

[benbender]

@satishbabariya Thank you for raising this ticket.

For now I have to omit them painstakingly like

export type UserWhereInput = Omit<Prisma.UserWhereInput, 'password' | 'isActive'>;

You are only omit the typing for those fields and not the actual fields in the select or result. So those fields would be, for example, still included in an API-Response. Or am I missing something here?

[akomm]

This is especially dangerous because basically any manipulation, even deletion, in prisma is returning the complete selection of all fields.

The moment you just think for a second writing your code, you stumble uppon this. I try to wrap my head around how this behavior, without any options to change it, could make it into a release and be ignored for so long.

[un33k]

@benbender your are correct. The following is only enforcing the shape of the desired data.

export type UserWhereInput = Omit<Prisma.UserWhereInput, 'password' | 'isActive'>;

In turn, the data type is handed over to class-validator & graphql types to ensure validations on the way in / out.

Since Prisma cannot (at this time) exclude fields out-of-the-box, some acrobatic steps are performed to achieve a secure API.

This is an example that does the job well for now - It will be removed once Prisma provides some intuitive exclude rules.

[hgezim]

I'm also interested in having this solved.

[matthewmueller]

Closing in favor of #5042. We'll provide one solution for this whether it's in the schema or within the query is TBD.