protect() the password field when user model included as association

[rxb]

I'm wondering if how to think about associations and hooks, specifically the protect() hook.

On my /users service, I have a protect('password') hook in after.all. When calling /users directly, it works as expected and the password is not sent to the client.

I have an articles model, with users as a belongsTo association called author.
On the /articles service, when I include author, like this:

(context) => {
  context.params.sequelize = {
    ...context.params.sequelize,
    include: [ "author" ]
  }
  return context;
}

the password IS sent to the client. It seems the hooks in /users don't run when user data is included as an association.

Am I thinking about this incorrectly to expect before and after hooks for user to run when I include it as an association? Is there a good way to protect the password field from being exposed when included as an association on another service?

[rxb]

Digging in some more, looks like my question was based on misunderstanding. Associations happen at the model-level, while hooks happen at the service-level. Hooks run based on which service is called. Other models can be included as part of that, but that will bypass the hooks and service of that included model.

In this case, adding protect('author.password') to the article after.all hook prevents the password from getting out.

[tvld]

Right. It's sometimes a bit confusing about the before and after hooks. ... )))