Edit in JSFiddle

app.get("/:user", (req, res) => {
    collection.find({ user: req.params.user }).toArray((err, docs) => {
      if (err) { // if an error occurred
        res.send("An error occured in getting the user info.");
      } else {
        // there were matches (there are users with that username)
        if (docs.length > 0) {
          // get the first users password (each user should have a unique username)
          let password = docs[0].pass;

          // if there was no password sent in the query of the url (after the `?`)
          if (!req.query.pass) {
            res.send("There was no password associated with the GET req URL parameters.");
          }

          // if the password that was sent with the get request matches the user's password
          if (password === `${req.query.pass}`) { // make sure the pass URL param is a string (interpolate it)
            // send back the user's information
            res.send({ ...docs[0] });
          } else {
            // otherwise, the password was wrong
            res.send("Wrong password.");
          }
        } else {
          res.send("There were no users with that name found. ");
        }
      }
    });
  });