Fix BFLA (Broken Function Level Authorization) in Feathers

BFLA (Broken Function Level Authorization) is the bread and butter of API exploitation. In the Feathers.js ecosystem, this occurs when developers rely on the frontend to hide UI elements without enforcing server-side guards on service methods. If your hooks aren't explicitly checking for administrative roles on destructive methods like 'remove' or 'patch', an attacker can simply replay the request with a standard user JWT and execute privileged actions.

The Vulnerable Pattern

module.exports = {
  before: {
    all: [ authenticate('jwt') ],
    find: [],
    get: [],
    create: [],
    update: [],
    patch: [],
    remove: [] // CRITICAL: Only identity is verified, not authority.
  }
};

The Secure Implementation

To mitigate BFLA, you must decouple authentication (who you are) from authorization (what you can do). In the secure example, we utilize the 'feathers-permissions' hook to enforce Role-Based Access Control (RBAC). The 'authenticate' hook ensures the user is logged in, but the 'checkPermissions' hook validates that the 'permissions' or 'roles' field in the JWT payload contains the 'admin' string. If the check fails, Feathers throws a 403 Forbidden before the service method is ever invoked, preventing unauthorized function execution.

const { checkPermissions } = require('feathers-permissions');
module.exports = {
before: {
all: [ authenticate(‘jwt’) ],
find: [],
get: [],
create: [ checkPermissions({ roles: [‘admin’] }) ],
update: [ checkPermissions({ roles: [‘admin’] }) ],
patch: [ checkPermissions({ roles: [‘admin’] }) ],
remove: [ checkPermissions({ roles: [‘admin’] }) ]
}
};