This content originally appeared on DEV Community and was authored by Subhadeep Datta

The Backstory

While building a module in NestJS, I encountered a common dilemma: How to secure sensitive data in populated documents without overhauling our existing architecture?

Here’s how I addressed it pragmatically, while acknowledging room for improvement.

The Problem, Simplified

1. Combined Auth/Profile Models: User authentication and profile data lived in a single schema (a known anti-pattern, but we all cut corners sometimes 😬).
2. Leaky Projections: Sensitive fields like password and OTP slipped into API responses through populated relationships.
3. Repetitive Code: Similar field exclusions were duplicated across multiple queries.

The Middle-Ground Solution

Instead of fully refactoring our auth system (which would’ve been ideal), I focused on immediate risk mitigation:

Step 1: Centralized Projection Configs

// database/projections.config.ts  
export const UserSafeProjection = {  
  password: 0,  
  otp: 0,  
  email: 0,  
  mobileNumber: 0,  
  __v: 0  
};  

export const EntityBaseProjection = { __v: 0 };

Step 2: Reusable Population Blueprints

// database/populations.config.ts  
export const TrainingMaterialPopulations = [  
  {  
    path: 'createdBy',  
    select: UserSafeProjection  
  },  
  {  
    path: 'project',  
    populate: {  
      path: 'organisation',  
      select: EntityBaseProjection  
    }  
  }  
];

Step 3: Cleaner Service Implementation

async findById(id: string) {  
  return this.trainingMaterialModel  
    .findById(id)  
    .populate(TrainingMaterialPopulations)  
    .select(EntityBaseProjection)  
    .lean();  
} 

Why This Works (For Now)

Lessons Learned

• Layer Your Security: Projections are just one piece of the puzzle.
• Document Tradeoffs: Added JSDoc: // TEMP: Remove after auth refactor (Q4?)
• Start Small: Even partial solutions can reduce risk while you plan bigger fixes.

Next Steps (If I Weren’t Lazy)

• Separate auth into its own service/collection.
• Implement proper role-based access control.
• Add encryption for sensitive fields.

Your Thoughts?

How do you balance immediate fixes with long-term ideals? Have a better pattern for handling nested projections? Let’s discuss!

This content originally appeared on DEV Community and was authored by Subhadeep Datta

Print Share Comment Cite Upload Translate Updates

APA

Subhadeep Datta | Sciencx (2025-02-18T19:15:02+00:00) Managing Mongoose Projections in NestJS. Retrieved from https://www.scien.cx/2025/02/18/managing-mongoose-projections-in-nestjs/

MLA

" » Managing Mongoose Projections in NestJS." Subhadeep Datta | Sciencx - Tuesday February 18, 2025, https://www.scien.cx/2025/02/18/managing-mongoose-projections-in-nestjs/

HARVARD

Subhadeep Datta | Sciencx Tuesday February 18, 2025 » Managing Mongoose Projections in NestJS., viewed ,<https://www.scien.cx/2025/02/18/managing-mongoose-projections-in-nestjs/>

VANCOUVER

Subhadeep Datta | Sciencx - » Managing Mongoose Projections in NestJS. [Internet]. [Accessed ]. Available from: https://www.scien.cx/2025/02/18/managing-mongoose-projections-in-nestjs/

CHICAGO

" » Managing Mongoose Projections in NestJS." Subhadeep Datta | Sciencx - Accessed . https://www.scien.cx/2025/02/18/managing-mongoose-projections-in-nestjs/

IEEE

" » Managing Mongoose Projections in NestJS." Subhadeep Datta | Sciencx [Online]. Available: https://www.scien.cx/2025/02/18/managing-mongoose-projections-in-nestjs/. [Accessed: ]

rf:citation

» Managing Mongoose Projections in NestJS | Subhadeep Datta | Sciencx | https://www.scien.cx/2025/02/18/managing-mongoose-projections-in-nestjs/ |

Please log in to upload a file.

There are no updates yet.
Click the Upload button above to add an update.

You must be logged in to translate posts. Please log in or register.