Common Mongoose Mistakes (and How to Avoid Them)
Mongoose has predictable failure modes. Here are the common mistakes and fixes.
Common Mongoose Mistakes
Mongoose is easy to start with and easy to get wrong. Here are the common mistakes and how to avoid them.
Mistake 1: No Validation on Updates
You use findByIdAndUpdate without runValidators. Validation runs only on save. Fix: pass { runValidators: true, new: true } on every update.
Mistake 2: Storing Passwords in Plain Text
You save req.body.password directly. Fix: hash with bcrypt in a pre('save') hook or in the controller. Never store raw passwords.
Mistake 3: Returning passwordHash in Responses
You do User.find() and return everything. Fix: mark passwordHash with select: false in the schema. It is excluded by default. Use .select('+passwordHash') only when needed (e.g., login).
Mistake 4: No Indexes on Hot Queries
You query by email but did not add an index. MongoDB scans every document. Fix: index the fields you query. Use explain() to verify.
Mistake 5: Embedding Unbounded Arrays
You store all messages in a connection document. The array grows until the document hits 16MB. Fix: use refs and a separate collection for large N.
Mistake 6: N+1 Queries
You loop over documents and call findById for each reference. Fix: use populate to do it in 2 queries.
Mistake 7: Not Handling Duplicate Key Errors
You create a user with a duplicate email and get a 11000 error. You send a 500 to the client. Fix: catch the error, check err.code === 11000, return 409 with a clear message.
Mistake 8: Using .find() Without a Limit
You do User.find() and return every user. Fix: always paginate. Use skip and limit, or cursor-based pagination.
Mistake 9: Forgetting .lean() for Read-Only Queries
You query a list and send it as JSON. Mongoose hydrates full documents with methods. Fix: use .lean() to get plain objects. Faster.
Mistake 10: Sync Calls in Request Handlers
You use callbacks or sync APIs in handlers. Fix: use async/await. Wrap with asyncHandler. Let errors flow to the error handler.
Mistake 11: Mixing Mongoose Validation With Business Logic
You put business logic in pre('save') hooks. Hard to test. Fix: keep validation in the schema; keep business logic in controllers or services.
Mistake 12: No timestamps
You do not use timestamps. You cannot sort by createdAt. Fix: add { timestamps: true } to the schema.
The Takeaway
Common Mongoose mistakes: no validation on updates, plain-text passwords, returning passwordHash, no indexes, embedding unbounded arrays, N+1 queries, not handling duplicate key errors, no pagination, no .lean() for read-only, sync calls, mixing validation with logic, and no timestamps. Avoid these from day one.
No validation on updates, plain-text passwords, returning passwordHash, no indexes on hot queries, embedding unbounded arrays, N+1 queries, not handling duplicate key errors, no pagination, no .lean() for read-only queries, sync calls, mixing validation with logic, and no timestamps.
Mark the field with select: false in the schema. It is excluded from find queries by default. Use .select('+passwordHash') only when needed (e.g., for login).
Catch the error in your handler. Check err.code === 11000 (MongoDB duplicate key error). Return 409 with a clear message instead of letting the error handler send a 500.
Mongoose runs validation on .save() and .create() but not on findByIdAndUpdate or updateOne by default. Pass { runValidators: true, new: true } on every update to enforce validation.
For read-only queries where you only need to send JSON. .lean() skips hydrating full Mongoose documents and returns plain JS objects. Faster and uses less memory. Do not use it if you need to call instance methods or save the document.
Ready to master Node.js completely?
Want to upskill yourself, crack your next interview, and get your dream job? Join our comprehensive course to dive deeper with high-quality video tutorials, solve interview questions, and a premium community.
Master Node.js
Want to upskill yourself, crack your next interview, and get your dream job? Join our comprehensive course.

