diff --git a/server/endpoints/admin.js b/server/endpoints/admin.js
index 959e023f..9b836b19 100644
--- a/server/endpoints/admin.js
+++ b/server/endpoints/admin.js
@@ -33,10 +33,7 @@ function adminEndpoints(app) {
     [validatedRequest, strictMultiUserRoleValid([ROLES.admin, ROLES.manager])],
     async (_request, response) => {
       try {
-        const users = (await User.where()).map((user) => {
-          const { password, ...rest } = user;
-          return rest;
-        });
+        const users = await User.where();
         response.status(200).json({ users });
       } catch (e) {
         console.error(e);
diff --git a/server/endpoints/api/admin/index.js b/server/endpoints/api/admin/index.js
index 228777ab..95b8e791 100644
--- a/server/endpoints/api/admin/index.js
+++ b/server/endpoints/api/admin/index.js
@@ -73,10 +73,7 @@ function apiAdminEndpoints(app) {
         return;
       }
 
-      const users = (await User.where()).map((user) => {
-        const { password, ...rest } = user;
-        return rest;
-      });
+      const users = await User.where();
       response.status(200).json({ users });
     } catch (e) {
       console.error(e);
diff --git a/server/endpoints/system.js b/server/endpoints/system.js
index 86aacac4..f4057a40 100644
--- a/server/endpoints/system.js
+++ b/server/endpoints/system.js
@@ -110,7 +110,7 @@ function systemEndpoints(app) {
 
       if (await SystemSettings.isMultiUserMode()) {
         const { username, password } = reqBody(request);
-        const existingUser = await User.get({ username: String(username) });
+        const existingUser = await User._get({ username: String(username) });
 
         if (!existingUser) {
           await EventLogs.logEvent(
@@ -188,7 +188,7 @@ function systemEndpoints(app) {
           // Return recovery codes to frontend
           response.status(200).json({
             valid: true,
-            user: existingUser,
+            user: User.filterFields(existingUser),
             token: makeJWT(
               { id: existingUser.id, username: existingUser.username },
               "30d"
@@ -201,7 +201,7 @@ function systemEndpoints(app) {
 
         response.status(200).json({
           valid: true,
-          user: existingUser,
+          user: User.filterFields(existingUser),
           token: makeJWT(
             { id: existingUser.id, username: existingUser.username },
             "30d"
diff --git a/server/models/user.js b/server/models/user.js
index ecb620ee..a1aeb2c6 100644
--- a/server/models/user.js
+++ b/server/models/user.js
@@ -19,6 +19,12 @@ const User = {
         return String(value);
     }
   },
+
+  filterFields: function (user = {}) {
+    const { password, ...rest } = user;
+    return { ...rest };
+  },
+
   create: async function ({ username, password, role = "default" }) {
     const passwordCheck = this.checkPasswordComplexity(password);
     if (!passwordCheck.checkedOK) {
@@ -35,7 +41,7 @@ const User = {
           role,
         },
       });
-      return { user, error: null };
+      return { user: this.filterFields(user), error: null };
     } catch (error) {
       console.error("FAILED TO CREATE USER.", error.message);
       return { user: null, error: error.message };
@@ -127,6 +133,17 @@ const User = {
   },
 
   get: async function (clause = {}) {
+    try {
+      const user = await prisma.users.findFirst({ where: clause });
+      return user ? this.filterFields({ ...user }) : null;
+    } catch (error) {
+      console.error(error.message);
+      return null;
+    }
+  },
+
+  // Returns user object with all fields
+  _get: async function (clause = {}) {
     try {
       const user = await prisma.users.findFirst({ where: clause });
       return user ? { ...user } : null;
@@ -162,7 +179,7 @@ const User = {
         where: clause,
         ...(limit !== null ? { take: limit } : {}),
       });
-      return users;
+      return users.map((usr) => this.filterFields(usr));
     } catch (error) {
       console.error(error.message);
       return [];