Mitigating MongoDB injection attacks with Mongoose
While you could use $eq
to ensure an equality comparison is used in the query, your express route handler is a better place to perform request format validation.
A valid POST /login
should have userName
and password
string fields in the body of the request. If not, it should be rejected before it even gets to Mongoose.