Fix BFLA (Broken Function Level Authorization) in Fastify

BFLA (Broken Function Level Authorization) is a critical logic flaw where your API assumes 'authenticated' means 'authorized'. In Fastify, this usually manifests when developers rely on a global JWT check but forget to verify if the user's role or scope permits access to specific administrative or sensitive functions. If you aren't explicitly gating your routes based on functional permissions, an attacker with a 'guest' token can start nuking your database via admin endpoints.

The Vulnerable Pattern

fastify.delete('/admin/users/:id', async (request, reply) => {
  // VULNERABILITY: This route only checks if the user is logged in (via global hook),
  // but never verifies if the user has 'admin' privileges.
  // Any authenticated user can delete any other user.
  const { id } = request.params;
  await db.users.remove(id);
  return { message: 'User deleted' };
});

The Secure Implementation

The fix involves moving from implicit trust to explicit authorization. By using Fastify's 'decorate' API, we create a reusable 'requireRole' hook. This hook is injected into the 'preHandler' lifecycle of the specific route. This ensures that even if a user bypasses the authentication layer with a valid token, the authorization layer validates their 'role' claim against the required permission for that specific function. This follows the Principle of Least Privilege (PoLP) and closes the BFLA gap.

fastify.decorate('requireRole', (role) => {
  return async (request, reply) => {
    if (!request.user || request.user.role !== role) {
      reply.code(403).send({ error: 'Forbidden: Insufficient permissions' });
      throw new Error('Unauthorized access attempt');
    }
  };
});
fastify.delete(‘/admin/users/:id’, {
preHandler: [fastify.authenticate, fastify.requireRole(‘admin’)]
}, async (request, reply) => {
const { id } = request.params;
await db.users.remove(id);
return { message: ‘User deleted’ };
});