Fix BOLA (Broken Object Level Authorization) in Express

BOLA (Broken Object Level Authorization), formerly known as IDOR, is the #1 threat in the OWASP API Security Top 10. It occurs when an application exposes a resource via an ID and fails to verify if the requesting user has the permissions to access that specific object. If you're trusting the client-provided ID without checking ownership against the session context, you're leaking data.

The Vulnerable Pattern

app.get('/api/profile/:id', async (req, res) => {
  // VULNERABLE: Direct access via URL parameter without ownership check
  const userProfile = await db.collection('users').findOne({ _id: req.params.id });
  if (!userProfile) return res.status(404).send('Not found');
  res.json(userProfile);
});

The Secure Implementation

To kill BOLA, you must enforce authorization at the data layer. Never rely on the ID provided in the URI as the sole source of truth. Use a middleware (like 'authenticateToken') to populate 'req.user' from a secure JWT or session. When querying the database, always include the user's unique identifier in the filter. This ensures that even if an attacker guesses another user's ID, the database query will return null because the 'ownerId' won't match the attacker's session ID.

app.get('/api/profile/:id', authenticateToken, async (req, res) => {
  // SECURE: Query is scoped to both the resource ID AND the authenticated user's ID
  const userProfile = await db.collection('users').findOne({
    _id: req.params.id,
    ownerId: req.user.id
  });
if (!userProfile) {
// Return 404 instead of 403 to prevent resource enumeration
return res.status(404).json({ error: ‘Resource not found’ });
}
res.json(userProfile);
});