Fix BOLA (Broken Object Level Authorization) in NestJS

BOLA (Broken Object Level Authorization) is the #1 API threat. In NestJS, it occurs when you trust a route parameter like :id without verifying if the authenticated user (req.user) actually owns that resource. If your service just does findOne(id), you're wide open for horizontal privilege escalation.

The Vulnerable Pattern

@Get(':id')
@UseGuards(JwtAuthGuard)
async getInvoice(@Param('id') id: string) {
  // VULNERABILITY: Any authenticated user can fetch any invoice ID.
  // No check to see if the invoice belongs to the user.
  return this.invoiceService.findOne(id);
}

The Secure Implementation

To kill BOLA in NestJS, you must enforce ownership at the database query level or via a custom Guard/Interceptor. 1. Never trust the ID in the URL. 2. Always extract the requester's identity from the JWT/Session. 3. Scope your SQL/NoSQL queries so they include the owner identifier (e.g., WHERE id = :id AND user_id = :current_user). 4. For complex logic, implement a 'PolicyGuard' or 'CaslAbility' to evaluate permissions before the controller logic executes.

@Get(':id')
@UseGuards(JwtAuthGuard)
async getInvoice(@Param('id') id: string, @Req() req) {
  const userId = req.user.id;
  const invoice = await this.invoiceService.findOne(id);
// SECURE: Explicit ownership check
if (!invoice || invoice.ownerId !== userId) {
throw new ForbiddenException(‘You do not have access to this resource’);
}
return invoice;
}
// ALTERNATIVE (Scoped Query):
// return this.invoiceService.findOne({ where: { id, ownerId: userId } });