The second option is a real lack of security.
It means that you will send to your users your mongodb login/password or even worse give them a non secured mongodb url.
To you really want that your user can see other users data ?
You should definitely use the first solution with a middleware.
Further more, the first solution can be more efficient than the second with bad connection user. With fat aggregate or requests that you will retreat in JS, they won’t download all the data but only the really final result.
If you have a have a lot of exchange between the user and the db, it’s easy to plug a websocket between angular and your node backend to avoid the http overhead.
So, my advise : definitely the first option.