diff --git a/test/api/v4/user/GET-user.test.js b/test/api/v4/user/GET-user.test.js
index f17c19e797..0dadbcf34a 100644
--- a/test/api/v4/user/GET-user.test.js
+++ b/test/api/v4/user/GET-user.test.js
@@ -40,6 +40,24 @@ describe('GET /user', () => {
     expect(returnedUser.stats).to.not.exist;
   });
 
+  it('returns when ALWAYS_LOADED paths are requested', async () => {
+    const returnedUser = await user.get('/user?userFields=_id,notifications,preferences,auth,flags,permissions');
+
+    expect(returnedUser._id).to.equal(user._id);
+    expect(returnedUser.notifications).to.exist;
+    expect(returnedUser.preferences).to.exist;
+    expect(returnedUser.auth).to.exist;
+    expect(returnedUser.flags).to.exist;
+    expect(returnedUser.permissions).to.exist;
+  });
+
+  it('returns when subpaths paths are requested', async () => {
+    const returnedUser = await user.get('/user?userFields=auth.local.username');
+
+    expect(returnedUser._id).to.equal(user._id);
+    expect(returnedUser.auth.local.username).to.exist;
+  });
+
   it('does not return requested private properties', async () => {
     const returnedUser = await user.get('/user?userFields=apiToken,secret.text');
 
diff --git a/website/server/middlewares/auth.js b/website/server/middlewares/auth.js
index 55bcf2b147..f5d5614847 100644
--- a/website/server/middlewares/auth.js
+++ b/website/server/middlewares/auth.js
@@ -36,9 +36,11 @@ function getUserFields (options, req) {
   const { userFields } = req.query;
   if (!userFields || urlPath !== '/user') return '';
 
-  const userFieldOptions = userFields.split(',');
+  let userFieldOptions = userFields.split(',');
   if (userFieldOptions.length === 0) return '';
 
+  userFieldOptions = userFieldOptions.filter(field => USER_FIELDS_ALWAYS_LOADED.indexOf(field.split('.')[0]) === -1);
+
   return userFieldOptions.concat(USER_FIELDS_ALWAYS_LOADED).join(' ');
 }