When you use findOne to return a single document, but the specified field in the filter does not exist (for example because of a typo), MongoDB returns an arbitrary document. This can cause some really bad bugs and security issues.
When I accidentally wrote { tokenId: token } as the filter (tokenId doesn’t exist as a key), it returned the first document in the collection. Which in this case is a devastating bug. Does the native findOne behave differently?
Thank you for finding and sharing the solution for this default Mongoose behaviour, which is definitely a very unexpected deviation from the normal MongoDB driver behaviour.
It looks like the strictQuery behaviour changed in Mongoose 6 and this has caused some confusion.
Thank you. I upvoted it
Yea I noticed that many people were complaining about this change and even the maintainer admitted that it was a mistake. I find it quite dangerous but I’m happy that there is a way to disable it.