Sequelize: don't return password

password-storage sequelize.js

Another way is to add a default scope to the User model.

Add this in the model's options object

defaultScope: {
  attributes: { exclude: ['password'] },
}

Or you can create a separate scope to use it only in certain queries.

Add this in the model's options object

scopes: {
  withoutPassword: {
    attributes: { exclude: ['password'] },
  }
}

Then you can use it in queries

User.scope('withoutPassword').findAll();

I would suggest overriding the toJSON function:

sequelize.define('user', attributes, {
  instanceMethods: {
    toJSON: function () {
      var values = Object.assign({}, this.get());

      delete values.password;
      return values;
    }
  }
});

Or in sequelize v4

const User = sequelize.define('user', attributes, {});

User.prototype.toJSON =  function () {
  var values = Object.assign({}, this.get());

  delete values.password;
  return values;
}

toJSON is called when the data is returned to the user, so end users won't see the password field, but it will still be available in your code.

Object.assign clones the returned object - Otherwise you will completely delete the property from the instance.


I like to use a combination of both of Pawan's answers and declare the following:

defaultScope: {
    attributes: { exclude: ['password'] },
},
scopes: {
    withPassword: {
        attributes: { },
    }
}

This allows me to exclude the password by default and use the withPassword scope to explicitly return the password when needed, such as when running a login method.

userModel.scope('withPassword').findAll()

This ensure that the password is not returned when including the user via a referenced field, e.g.

accountModel.findAll({
    include: [{
        model: userModel,
        as: 'user'
    }]
})

Maybe you can just add exclude at your attribute when you find, look like this:

var User = sequelize.define('user', attributes);

User.findAll({
    attributes: {
        exclude: ['password']
    }
});

Read the docs for more details


I was able to get this working by adding a getter to the field which returns undefined

firstName: {
      type: DataTypes.STRING,
      get() {
        return undefined;
      }
    }

The accepted answer does not work when the model is included from another model.

I had a virtual field, say fullName that depends on the fields that I wanted to hide, say firstName and lastName. And the solution based on defaultScope does not work in this case.

Related

How to make a boolean variable switch between true and false every time a method is invoked?
cygwin clearscreen from bash
How to add PageControl inside UICollectionView Image Scrolling
How do I compare a generic type to its default value? [duplicate]
Error in final launch sequence Failed to execute MI command -gdb-set target-async off
Hosting multiple clients with freemodbus
StackExchange.Redis timeout and "No connection is available to service this operation"
IDX10500: Signature validation failed. Unable to resolve SecurityKeyIdentifier
rMaps ichoropleth with custom map/shp
Callback redirect not preserving session
startForeground() causing problems with cordova
PerformFetchWithCompletionHandler called twice when simulating with Xcode