Projection doesnt hide values

I want to retrieve the user information without getting the password and salt. However when I try to make a projection it doesn’t work and still outputs the password hash. Does anyone know the issue with my code?

I am using nodejs with mongo module.

Second param is the options which looks like it’s not correctly defined, see:

Of note is the setting up of the options parameter:

    const options = {
      // Sort matched documents in descending order by rating
      sort: { "imdb.rating": -1 },
      // Include only the `title` and `imdb` fields in the returned document
      projection: { _id: 0, title: 1, imdb: 1 },
    // Execute query
    const movie = await movies.findOne(query, options);

In your case you’re not passing the projection definition in wrapped in a projection field, so it could be:

await db.collection('account').findOne({username:rusername}, {projection:{_id:0, password:0, token:0, salt:0}})

Also…why are you storing the salt with the password?

Thank you, that worked!
Is storing salt and hashed passwords together a bad practice? What would be an alternative?

I had typed out a long reply…but checking some other resources it seems people don’t seen that concerned about storing it together with the password any more. I’ve typically stored it as an environment variable.

As it’s just to avoid the use of rainbow tables in case of a data breach, it can be stored with the password.

It also seems that it’s recommended to have a salt unique to each password…learned something new today!