Fix BOLA (Broken Object Level Authorization) in Feathers
BOLA (IDOR) is the apex predator of API vulnerabilities. In FeathersJS, it manifests when services assume an authenticated user has the right to access any resource ID they provide. If your hooks don't enforce ownership at the query level, an attacker can iterate through IDs to scrape or mutate private data across the entire database.
The Vulnerable Pattern
// src/services/messages/messages.hooks.js
module.exports = {
before: {
all: [ authenticate('jwt') ],
get: [],
update: [],
patch: [],
remove: []
}
};
// EXPLOIT: GET /messages/1337 -> Returns data even if it belongs to user 9999.The Secure Implementation
The remediation strategy is 'Query Scoping'. By utilizing the 'setField' hook, we inject the requester's unique identifier (params.user._id) directly into the database query as 'ownerId'. This forces the Feathers adapter to append a WHERE clause (e.g., WHERE id = :id AND ownerId = :userId). If an attacker attempts to access an ID they do not own, the database returns no results, and Feathers throws a 404, preventing unauthorized data leakage or modification.
// src/services/messages/messages.hooks.js const { setField } = require('feathers-hooks-common');
module.exports = { before: { all: [ authenticate(‘jwt’) ], get: [ setField({ from: ‘params.user._id’, as: ‘params.query.ownerId’ }) ], patch: [ setField({ from: ‘params.user._id’, as: ‘params.query.ownerId’ }) ], remove: [ setField({ from: ‘params.user._id’, as: ‘params.query.ownerId’ }) ] } };
Your Feathers API
might be exposed to BOLA (Broken Object Level Authorization)
74% of Feathers apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.