FriendRequest.js

var mongoose = require('mongoose'),
	Schema	 = mongoose.Schema,
	ObjectId = Schema.ObjectId,
	UserSchema = require('./User').UserSchema;


var FriendRequest = new Schema({
	from		: {type: ObjectId, index:true}, // Why does not UserSchema.ObjectId work here, instead of ObjectId?
	to			: {type: ObjectId, index:true},
	
	confirmed	: {type: Boolean, index: true},

	created		: {type: Date, default: Date.now},
});

FriendRequest.pre('save', function youCantBefriendYourself(next) {
    
	if (this.from == this.to) {
		next(new Error("A user can't befriend themselves."));
	} else {
		next();
	}
});


FriendRequest.pre('save', function lookForPendingRequest(next, done) {
	next();
	var query = {
		$or:  [
				{'from': this.from,'to' : this.to},
				{'from': this.to,'to' : this.from}
			]
	};
	mongoose.model('FriendRequest').find(query, function(err,res) {
		if (res.length > 0)
			done(new Error("Pending friendrequest exists already"));
		else 
			done();
	});
});

// @untested
FriendRequest.pre('save', function seeIfAlreadyFriends(next, done) {
	next();
	var query = {
		"_id"		: this.from,
		"friends" 	: this.to 
	};
	mongoose.model('User').find(query, function(err,res) {
		if (res.length > 0)
			done(new Error("The users are already friends"));
		else 
			done();
	});
});

module.exports.FriendRequest = mongoose.model('FriendRequest', FriendRequest);
module.exports.FriendRequestSchema = FriendRequest;

User.js

var mongoose = require('mongoose'),
	Schema	 = mongoose.Schema,
	ObjectId = Schema.ObjectId,
	hashlib = require('hashlib');



var SAFE_COLS_TO_RETURN = function() {
	return {
	 	_id:1,
		user:1,
		email:1,
		'name.first':1,
		'name.last':1,
		'name.full':1
	};
};


var salt = '61N3gFATpiBPr8Lp';

function hash() {
	var str = salt;
	
	for (var i in hash.arguments) {
		str += ";" + hash.arguments[i];
	}
	//console.log("hash base: ", str);
	return hashlib.sha1(str);
}
function setPassword(pwd) {
	pwd = hash(pwd);
	this.apiKey = hash(this.user,pwd,Math.random());
	
	
	return pwd;
}
function toLower(str) {
	return str.toLowerCase();
}


var UserSchema = new Schema({
	user		: { type: String, unique: true, validate: /^[A-Z0-9._%+-]+$/i },
	password	: { type: String, index: true, set: setPassword },
	email		: { type: String, unique: false, set: toLower, validate: /^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i },
	confirmed	: { type: Boolean, default: false, index: true },
	apiKey		: { type: String, unique: true },
	
	created		: {type: Date, default: Date.now},
	
	name: {
		first: String,
		last: String
	},
	
	friends		: [ ObjectId ]
	
});
UserSchema.index({friends: 1});

UserSchema.virtual('name.full').get( function () {
	return this.name.first + " " + this.name.last;
});

UserSchema.static('auth', function(userOrEmail,password,_calllback) {
	var regex = new RegExp('^'+userOrEmail+'$', 'i');
	var obj = {
		$or: [
			{user:regex},
			{email:regex}
		],
		password: hash(password)
	};
	// Here it's okay to return the apiKey as well.
	var safe_cols = SAFE_COLS_TO_RETURN();
	safe_cols.apiKey = 1;
	this.findOne(obj,safe_cols, _calllback);
});


UserSchema.static('SAFE_COLS_TO_RETURN', SAFE_COLS_TO_RETURN);

module.exports.User = mongoose.model('User', UserSchema);
module.exports.UserSchema = UserSchema;

Questions:

1. In FriendRequest.js#8-9: Why can't I use UserSchema.ObjectId? Node crashes.
2. UserSchema.js#57, Is it possible to somehow use UserSchema.ObjectId here?
3. Can I create an index for FriendRequest.from/to so I don't need the validation on FriendRequest#26-40?
4. I use a function called SAFE_COLS_TO_RETURN in order to specify "safe cols" which are always OK to return. Although, you could still, in i.e. app.js, just type User.find({}, func [..]) and get the password cols, etc. Is it possible to write som middleware which prevents the queries from returning any other then these cols except if you explicitly tell it to? Don't want to send apikeys/hashed passwords around by mistake.