I’m integrating Passport.js for user authentication in my Node.js application and currently working on deserializing the user object. After serialization, Passport.js stores the user object in the session and retrieves it upon deserialization.

I’m wondering whether it’s best practice to filter out sensitive fields from the user object during deserialization. For example, should I exclude fields like passwords, tokens, or any other sensitive information that should not be exposed or stored in the session?
Here’s a basic outline of how I’m handling serialization and deserialization:

javascript:

passport.serializeUser((user, done) => {
  // Serialize user into session
  done(null, user.id); // Store only the user id in the session
});

passport.deserializeUser((id, done) => {
  // Retrieve user from database or other storage
  User.findById(id, (err, user) => {
    // Should I filter out sensitive fields here?
    const safeUser = {
      id: user.id,
      username: user.username,
      email: user.email,
      // What about sensitive fields like passwords or tokens?
    };
    done(err, safeUser); // Return the safe user object to Passport
  });
});

this is question, not an error.