Query returning result that includes the filters

[Floriferous]

When running a query with filters, the result of the query includes the fields in the filters, even if I don't include them in the body of the query. This issue has probably already been raised elsewhere.

Here's a reproduction (here's a repo you can clone: https://github.com/Floriferous/grapher-playground/tree/bug/filters-in-body):

import assert from 'assert';
import { expect } from 'chai';
import { Meteor } from 'meteor/meteor';
import { Accounts } from 'meteor/accounts-base';

describe.only('filters in body bug', function() {
  beforeEach(() => {
    Meteor.users.remove({});
  });

  it('returns the token from the server', () => {
    const userId = Accounts.createUser({ email: '[email protected]' });

    const token = 'token';
    Meteor.users.update(userId, {
      $set: {
        services: { password: { reset: { token } } }
      }
    });

    const result = Meteor.users
      .createQuery({
        $filters: { 'services.password.reset.token': token },
        emails: 1
      })
      .fetchOne();

    expect(result.emails).to.not.equal(undefined);
    expect(result.services).to.equal(undefined); // Fails
  });
});

[theodorDiaconu]

Nice one.

[odesey]

Is there a fix or workaround for this? Having the same issue and sensitive information is being sent to the client.

Specifically I am doing:

itemIds: { $in: [ itemId ] }

And ALL the id's are being sent to the client.

@Floriferous were you able to find a work around?

Any help would be greatly appreciated

Thanks.