Whatever we show students, they inevitably emulate in future projects – even when we explicitly state that it is an antipattern, there for education. Accordingly, I think we should extract the properties we want from req.body (or blacklist sensitive properties) rather than pass it directly to .create.

💯 ✖️ 💯