Fix BOLA (Broken Object Level Authorization) in Hapi

BOLA (Broken Object Level Authorization), formerly IDOR, is the most critical vulnerability in modern API security. In Hapi.js, it manifests when a developer trusts the route parameters (like /{id}) without verifying if the authenticated user has the rights to access that specific resource. Authenticated does not mean Authorized. If your handler queries the database using only the user-provided ID, you are leaking data to any attacker with a valid token.

The Vulnerable Pattern

server.route({
  method: 'GET',
  path: '/api/reports/{reportId}',
  handler: async (request, h) => {
    // VULNERABLE: Only checks if the report exists, not who owns it
    const report = await db.reports.findOne({ id: request.params.reportId });
    if (!report) return h.response({ error: 'Not Found' }).code(404);
    return report;
  }
});

The Secure Implementation

The fix requires a mandatory 'Resource-Owner' check. First, ensure the route is protected by an authentication strategy. Second, instead of fetching the object by ID alone, your query must include a predicate that matches the object's owner field with the ID found in `request.auth.credentials`. For complex scenarios, implement a 'pre' handler in Hapi to load and authorize the object before it even reaches your main logic. Always fail closed; if the user ID doesn't match the resource owner, return a 404 to avoid confirming the existence of the object to an unauthorized party.

server.route({
  method: 'GET',
  path: '/api/reports/{reportId}',
  options: { auth: 'jwt' },
  handler: async (request, h) => {
    const { reportId } = request.params;
    const userId = request.auth.credentials.id;
// SECURE: Query includes the owner constraint
const report = await db.reports.findOne({ 
  id: reportId,
  ownerId: userId 
});

if (!report) {
  // Return 404 instead of 403 to prevent resource enumeration
  return h.response({ error: 'Report not found' }).code(404);
}

return report;
}
});