Auth endpoint /auth/local is over-fetching data - how to create custom controller?

System Information
  • Strapi Version: 3.2.4
  • Operating System: macOS High Sierra 10.13.6
  • Database: SQLite 5.0.0, PostgreSQL 8.4.1
  • Node Version: 12.18.4
  • NPM Version: >=6.0.0
  • Yarn Version: 1.22.4

Right now users login to my writing platform Strapi app via a Nuxt.js frontend, using the /auth/local endpoint. But I recently I found that the login page load is getting really slow, up to 20s! Checking the network, I found that the payload from the /auth/local endpoint is over-fetching data that I don’t need - including all the relational data posts, comments, notifications that are related to each user.

I noticed there isn’t any controllers folder/files under the /extensions/users-permissions folder. How do I create a custom controller, or at least edit the /auth/local endpoint so that the it only just authenticates with username and password without fetching the any relation fields data?

I too faced similar problem so, I extended the Auth.js file

Steps you need to take
create this directory structure

Go here and copy paste the whole file

On line 71 you will see a fetch query for user

const user = await strapi.query('user', 'users-permissions').findOne(query);

replace it with

const user = await strapi.query('user', 'users-permissions').findOne(query, []);

Empty array means it won’t populate any relation fields, if you want any relations fields to be populate, add their fieldName as string inside the array


Oh wow @dhruv thank you so much for the detailed answer!!! Will try it out now :grinning:

UPDATE: Yeeessss it worked! So grateful, thank you Dhruv! :+1::+1::+1:

1 Like

Just remember while updating to latest version of strapi, read migration guide properly and If there’s anything related to user-permissions plugins, take a moment and recheck or rewrite your extended code.

1 Like

Oh yes good point. Completely unaware about it.

Btw, to ensure that the versions are correct, I went into my own app’s node_modules folder and copied/paste the Auth.js code. Wasn’t so sure if the Github repo was identical. (For the benefit of others who might refer to this in future.)

1 Like

Hi Jasonleow,
I recently had the same problem, and I found out that there’s also another method to do it without having to customize the code. If you install the graphql extension, you can send a POST request to the “/graphql” endpoint with a JSON body that looks like this:

    query: `
        mutation ($email: String!, $password: String!) {
            login(input: { identifier: $email, password: $password }) {
                user {
    variables: {

This will only get the token, username and email of the user. Just be aware that both data and errors are sent a little bit differently then the REST APIs, so your application code should be slightly changed accordingly.

Here you can find the Strapi docs about graphql

Of course, you can use graphql only for this request and keep everything else with the REST APIs :slightly_smiling_face:

I tried this in strapi 4 but it doesn’t go into that file, it still uses the original in node_modules. Is there something else I need to do?