Overview
Broken Object Level Authorization (BOLA) in Node.js Express apps enables attackers to access data or perform actions on resources they should not own by manipulating identifiers in URLs or payloads.
In real-world apps, authentication is common, but authorization is often lax-systems verify a user is signed in but do not strictly confirm ownership of the object being accessed, allowing cross-user data leakage or unauthorized modifications.
This guide shows how BOLA manifests in Express routes, typical vulnerable patterns (such as querying resources by ID without an ownership check) and how to fix with explicit ownership verification or policy evaluation.
We provide a safe coding pattern, testing strategies, and a concise before/after code example along with remediation steps and logging considerations.
Code Fix Example
Node.js (Express) API Security Remediation
Vulnerable pattern:
app.get('/api/items/:itemId', (req, res) => {
const { itemId } = req.params;
// No authorization check: any authenticated user could access any item
db.query('SELECT * FROM items WHERE id = ?', [itemId], (err, rows) => {
if (err) return res.status(500).send('Server error');
if (!rows.length) return res.status(404).send('Not found');
res.json(rows[0]);
});
});
Fixed pattern:
app.get('/api/items/:itemId', authMiddleware, (req, res) => {
const { itemId } = req.params;
const userId = req.user.id; // set by authentication middleware
db.query('SELECT * FROM items WHERE id = ? AND user_id = ?', [itemId, userId], (err, rows) => {
if (err) return res.status(500).send('Server error');
if (!rows.length) return res.status(404).send('Not found or access denied');
res.json(rows[0]);
});
});