node package manager
Love JavaScript? Your insights can make it even better. Take the 2017 JavaScript Ecosystem Survey ยป



Express Middleware to filter out Mongoose model attributes. You pass an array of fields you do not want returned as part of json or jsonp requests.


To install the latest official version, use NPM:

npm install mongoosemask --save

To run the tests and see what is supported run either of the following commands

npm test


app.use(mongoosemask(['_id', '_privatefield']));

The '_id' and the '_privatefield' will then be removed from your json objects before sending to the client.

maksedObj = {
    //ALL fields except _id and _private

You can also call the mask explicitly

var maskedModel = mongomask.mask(model, ['_id']);

Additionally there is also a expose method which you can use to expose items instead of excluding them.

Mask all values on a given object except for those that are explicitly exposed through the values array. The value can be a String which will directly be a one-to-one mapping for example

    _id -> _id will expose the _id mongoose value

or an object that maps keys to values for example {_id:'id'} Will expose _id as id on the object. [ '_id', {_id:'id} ] Will expose both id and _id, {'' : ''} Will create a sub object {exposed:{at:{any:level:'valuehere'}}}]

var exposedModel = mongoosemask.expose(model, [{_id:'id'}, {'email':'username'}, 'name', {'nested.value' : 'user.profile' }]);
 exposedModel = {
        profile:'public ...'


If you are using 'express-partial-response' you must place this middleware AFTER you place the express-partial-response middleware as this middlware only works with mongoose objects which the express-partial-response middleware does not return



Quick fix for nested objects.


Added dot'.' notation support to expose/mask methods. The method will try to walk the chain until it finds the value to expose/mask.

mask( ['this.sub.value'], model ); expose(['this.sub.value', { 'this.sub.value.two' : '' }], model );

If the expose method can not find the value then it will set it as undefined.

One limitation is that the dot notation can not traverse a sub array so model.[ {value:value}, {value:value}] will not be able to mask the model.value of the two sub models.


Added the ability to pass a function as the mask callback for the express middleware. if you have a complex item that needs masking you can pass a callback funtion that will be invoked before your object is serialized to json.

The callback must have the following signature. function(obj, mask, done);

 express.use(mongooseMask(function(value, mask, done){
         var masked = mask(value, ['_id', '__v']);
    = mask(, ['_id', '__v']);
         done(null, masked);


Fixed NPE when passing nested objects


Added support for calling mask directly. Added expose() method as an inverse of mask.


Initial release