Overview
Broken Object Level Authorization (BOLA) in APIs lets attackers access or modify data that belongs to other users. In production Node.js Express apps, weak ownership checks can lead to data leakage, unauthorized actions, and privacy or compliance breaches when an attacker enumerates IDs or reuses routes that rely on client-supplied identifiers. This can cause financial loss, reputational damage, and regulatory penalties, especially where sensitive user data is involved. No CVEs are cited in this guide, but the risk is widely observed in practice.
In Express, routes often expose resources via identifiers like /api/resource/:id and may fetch a resource by ID without validating ownership against the authenticated user. If req.user is authenticated but the handler returns the resource without verifying that resource.ownerId === req.user.id, an attacker with valid credentials can access others' data. The vulnerability may also appear when authorization is omitted for updates or deletions.
Even without CVEs, Broken Object Level Authorization is critical. Strong mitigations include enforcing ownership in the service layer, performing explicit authorization checks, and using DB queries that constrain results to the current user. Adopt role-based or attribute-based access control, validate inputs, limit error information, and add tests that simulate unauthorized access attempts.
Code Fix Example
Node.js (Express) API Security Remediation
// Vulnerable
app.get('/api/resource/:id', (req, res) => {
const id = req.params.id;
const resource = db.findResourceById(id);
if (!resource) return res.status(404).send('Not found');
res.json(resource);
});
// Fixed
app.get('/api/resource/:id', async (req, res) => {
const id = req.params.id;
const userId = req.user?.id;
const resource = await db.findResourceById(id);
if (!resource) return res.status(404).send('Not found');
if (resource.ownerId !== userId) return res.status(403).send('Forbidden');
res.json(resource);
});