Fix BOLA (Broken Object Level Authorization) in Iris

BOLA (Broken Object Level Authorization), formerly known as IDOR, is the most critical vulnerability in modern API architectures. In the Iris framework, BOLA occurs when an endpoint accepts a resource identifier (like a UUID or integer) from the client and retrieves the object without verifying if the authenticated user has the rights to access it. To harden Iris, you must shift from 'ID-based fetching' to 'Ownership-based fetching'.

The Vulnerable Pattern

app.Get("/api/invoice/{id}", func(ctx iris.Context) {
    // DANGER: Relying solely on user-controlled input
    invoiceID := ctx.Params().Get("id")
    var invoice Invoice
// The database query doesn't check who owns the invoice
if err := db.First(&invoice, "id = ?", invoiceID).Error; err != nil {
    ctx.StopWithStatus(iris.StatusNotFound)
    return
}

ctx.JSON(invoice)
})

The Secure Implementation

The fix eliminates the trust boundary violation by binding the data retrieval to the user's identity. In the secure snippet, we extract a 'userID' from a trusted source (middleware-verified JWT) and inject it directly into the SQL WHERE clause. This ensures that even if an attacker guesses a valid 'invoiceID', the database will return a 'Not Found' error because the 'owner_id' constraint fails. Never trust the client to tell you who they are; always derive identity from the session context.

app.Get("/api/invoice/{id}", func(ctx iris.Context) {
    invoiceID := ctx.Params().Get("id")
// 1. Retrieve the authenticated UserID from the verified JWT/Session
userID := ctx.Values().Get("jwt_user_id").(string)

var invoice Invoice
// 2. SECURE: Scope the query to BOTH the resource ID and the owner's ID
result := db.Where("id = ? AND owner_id = ?", invoiceID, userID).First(&invoice)

if result.Error != nil {
    // Return 404 even if it exists but belongs to someone else to prevent enumeration
    ctx.StopWithStatus(iris.StatusNotFound)
    return
}

ctx.JSON(invoice)
})