If you are using Mongoose in Mongoose 6 they introduced the sanitizeFilter option that could be used as follows (from the their documentation):
const obj = { username: 'val', pwd: { $ne: null } };sanitizeFilter(obj);obj; // { username: 'val', pwd: { $eq: { $ne: null } } });Sanitizes query filters against query selector injection attacks by wrapping any nested objects that have a property whose name starts with $ in a $eq.
You can also set it up to be sensitized by default:
mongoose.set('sanitizeFilter', true);And you can also skip the default sensitizing by using trusted():
const user = await User.findOne({ // Tell Mongoose to not sanitize `{ $ne: true }` deleted: mongoose.trusted({ $ne: true }), email: req.body.email, hashedPassword: req.body.hashedPassword}).setOptions({ sanitizeFilter: true }); 