Fix BOLA (Broken Object Level Authorization) in RedwoodJS

BOLA (Broken Object Level Authorization), formerly known as IDOR, is the bread and butter of API exploitation. In RedwoodJS, this usually manifests in the Services layer. Developers often assume that if a user is authenticated, they are authorized to access any object by its ID. If you're fetching data using only a user-supplied ID without verifying ownership against `context.currentUser`, you're handing over the keys to your database.

The Vulnerable Pattern

export const post = ({ id }) => {
  // VULNERABLE: Direct reference to ID without ownership check
  // Any authenticated user can guess an ID and scrape posts
  return db.post.findUnique({
    where: { id },
  })
}

The Secure Implementation

The fix is simple: stop trusting the client. In the vulnerable snippet, `findUnique` only filters by the primary key, allowing cross-tenant data access. The secure implementation switches to `findFirst` and injects the `userId` from the trusted `context.currentUser` into the `where` clause. This ensures the database engine itself enforces authorization, preventing attackers from accessing IDs they don't own even if they guess the sequence.

import { forbidden } from '@redwoodjs/graphql-server'
export const post = async ({ id }) => {
// SECURE: Enforce ownership at the query level
const record = await db.post.findFirst({
where: {
id,
userId: context.currentUser.id,
},
})
if (!record) {
// Don’t leak existence; return 403 or 404 logic
forbidden(‘Not authorized to view this resource’)
}
return record
}