diff --git a/server/api/auth/login.post.ts b/server/api/auth/login.post.ts
index 2207581..a7e543c 100644
--- a/server/api/auth/login.post.ts
+++ b/server/api/auth/login.post.ts
@@ -2,11 +2,12 @@ import mongoose from "mongoose";
 import jwt from "jsonwebtoken";
 import { User } from "@models/user";
 import { log } from "@server/logger";
+import { doNotSelect } from "@server/constants";
 
 export default eventHandler(async (event) => {
 	const wrongMsg = "wrong credentials";
 	let reqbody = await readBody(event);
-	let user = await User.findOne({ username: reqbody.username }).exec();
+	let user = await User.findOne({ username: reqbody.username }).select(doNotSelect).exec();
 	// log.debug(reqbody, { label: "login/body" });
 	// log.debug("USER -> " + user, { label: "login" });
 	// log.debug("conn ->" + mongoose.connection, { label: "login" });
@@ -30,8 +31,9 @@ export default eventHandler(async (event) => {
 			}
 			let tok = user.generateRefreshToken(useRuntimeConfig().jwt);
 			// setCookie(event, "rockfic_cookie", tok);
+			const fu = user.toObject();
 			return {
-				user,
+				user: fu,
 				token: {
 					refresh: tok,
 					access: user.generateAccessToken(useRuntimeConfig().jwt),