We ought to demo how to sanitize Sequelize objects, e.g. stripping the password and salt fields from user objects. Could be an instance method (easy to implement but dangerously easy to forget), some sort of toJSON override (automatic, but I've run into weird edge case bugs with this approach), or some other solution.