The `_hashed_password` field cannot be deleted from _User collection

[tiavina-mika]

trafficstars

New Issue Checklist

• Report security issues confidentially.
• Any contribution is under this license.
• Before posting search existing issues.

Issue Description

The _hashed_password field cannot be deleted from _User collection

Steps to reproduce

I try

user.unset('_hashed_password')

Actual Outcome

The field is not deleted in the _User collection

Expected Outcome

_hashed_password field should be deleted in the _User collection

Environment

Server

• Parse Server version: "parse-server": "^7.2.0",
• Operating system: Windows 10
• Local or remote host (AWS, Azure, Google Cloud, Heroku, Digital Ocean, etc): Local

Database

• System (MongoDB or Postgres): MongoDB
• Database version: v4.0.6
• Local or remote host (MongoDB Atlas, mLab, AWS, Azure, Google Cloud, etc): MongoDB Atlas

Client

• SDK (iOS, Android, JavaScript, PHP, Unity, etc): JavaScript
• SDK version: 5.3.0

[parse-github-assistant[bot]]

Thanks for opening this issue!

• 🚀 You can help us to fix this issue faster by opening a pull request with a failing test. See our Contribution Guide for how to make a pull request, or read our New Contributor's Guide if this is your first time contributing.

[tiavina-mika]

The solution I found is to delete it using mongodb directly

import Config from 'parse-server/lib/Config';

const user = await new Parse.Query(Parse.User).equalTo('objectId', 'xxxxx').first({ useMasterKey: true });
const config = Config.get(Parse.applicationId);
const mongoAdapter = config.database.adapter;
await mongoAdapter.connect();
const userCollection = mongoAdapter.database.collection('_User');
const query = { _id: user.id };
const body = { $unset: { "_hashed_password": "" } };
await userCollection.updateOne(query, body);