The latest articles on DEV Community by Subhadeep Datta (@subhos). https://dev.to/subhos https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F810508%2Ffddafe90-7476-4e2d-89c8-8e6ce524056a.jpeg https://dev.to/subhos en Subhadeep Datta Tue, 18 Feb 2025 19:15:02 +0000 https://dev.to/subhos/managing-mongoose-projections-in-nestjs-3fl0 https://dev.to/subhos/managing-mongoose-projections-in-nestjs-3fl0 <h1> The Backstory </h1> <p>While building a module in NestJS, I encountered a common dilemma: How to secure sensitive data in populated documents without overhauling our existing architecture?</p> <p>Here’s how I addressed it pragmatically, while acknowledging room for improvement.</p> <h2> The Problem, Simplified </h2> <ol> <li> <strong>Combined Auth/Profile Models</strong>: User authentication and profile data lived in a single schema (a known anti-pattern, but we all cut corners sometimes 😬).</li> <li> <strong>Leaky Projections</strong>: Sensitive fields like password and OTP slipped into API responses through populated relationships.</li> <li> <strong>Repetitive Code</strong>: Similar field exclusions were duplicated across multiple queries.</li> </ol> <h2> The Middle-Ground Solution </h2> <p>Instead of fully refactoring our auth system (which would’ve been ideal), I focused on immediate risk mitigation:</p> <h3> Step 1: Centralized Projection Configs </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// database/projections.config.ts </span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">UserSafeProjection</span> <span class="o">=</span> <span class="p">{</span> <span class="na">password</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="na">otp</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="na">mobileNumber</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="na">__v</span><span class="p">:</span> <span class="mi">0</span> <span class="p">};</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">EntityBaseProjection</span> <span class="o">=</span> <span class="p">{</span> <span class="na">__v</span><span class="p">:</span> <span class="mi">0</span> <span class="p">};</span> </code></pre> </div> <h3> Step 2: Reusable Population Blueprints </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// database/populations.config.ts </span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">TrainingMaterialPopulations</span> <span class="o">=</span> <span class="p">[</span> <span class="p">{</span> <span class="na">path</span><span class="p">:</span> <span class="dl">'</span><span class="s1">createdBy</span><span class="dl">'</span><span class="p">,</span> <span class="na">select</span><span class="p">:</span> <span class="nx">UserSafeProjection</span> <span class="p">},</span> <span class="p">{</span> <span class="na">path</span><span class="p">:</span> <span class="dl">'</span><span class="s1">project</span><span class="dl">'</span><span class="p">,</span> <span class="na">populate</span><span class="p">:</span> <span class="p">{</span> <span class="na">path</span><span class="p">:</span> <span class="dl">'</span><span class="s1">organisation</span><span class="dl">'</span><span class="p">,</span> <span class="na">select</span><span class="p">:</span> <span class="nx">EntityBaseProjection</span> <span class="p">}</span> <span class="p">}</span> <span class="p">];</span> </code></pre> </div> <h3> Step 3: Cleaner Service Implementation </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">async</span> <span class="nf">findById</span><span class="p">(</span><span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">trainingMaterialModel</span> <span class="p">.</span><span class="nf">findById</span><span class="p">(</span><span class="nx">id</span><span class="p">)</span> <span class="p">.</span><span class="nf">populate</span><span class="p">(</span><span class="nx">TrainingMaterialPopulations</span><span class="p">)</span> <span class="p">.</span><span class="nf">select</span><span class="p">(</span><span class="nx">EntityBaseProjection</span><span class="p">)</span> <span class="p">.</span><span class="nf">lean</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Why This Works (For Now) </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Pros</th> <th>Cons</th> </tr> </thead> <tbody> <tr> <td>Immediate security improvement</td> <td>Still need proper auth separation</td> </tr> <tr> <td>Reduces code duplication</td> <td>Partial technical debt remains</td> </tr> <tr> <td>Easy to maintain/update</td> <td>Projections ≠ full authorization</td> </tr> </tbody> </table></div> <h2> Lessons Learned </h2> <ul> <li> <strong>Layer Your Security</strong>: Projections are just one piece of the puzzle.</li> <li> <strong>Document Tradeoffs</strong>: Added JSDoc: <code>// TEMP: Remove after auth refactor (Q4?)</code> </li> <li> <strong>Start Small</strong>: Even partial solutions can reduce risk while you plan bigger fixes.</li> </ul> <h2> Next Steps (If I Weren’t Lazy) </h2> <ul> <li>Separate auth into its own service/collection.</li> <li>Implement proper role-based access control.</li> <li>Add encryption for sensitive fields.</li> </ul> <h2> Your Thoughts? </h2> <p>How do you balance immediate fixes with long-term ideals? Have a better pattern for handling nested projections? Let’s discuss!</p> nestjs mongodb firstpostpanic databasesecurity