Fix BOLA (Broken Object Level Authorization) in Remix

BOLA (Broken Object Level Authorization) remains the most critical vulnerability in the OWASP Top 10 for APIs. In Remix, BOLA occurs when `loader` or `action` functions fetch or mutate resources based solely on user-supplied parameters (like `params.id`) without verifying if the authenticated user has the right to access that specific object. If you trust the ID in the URL, you're giving any user access to every record in your database.

The Vulnerable Pattern

export async function loader({ params }: LoaderFunctionArgs) {
  // VULNERABLE: Only checks if the record exists, not who owns it
  const invoice = await db.invoice.findUnique({
    where: { id: params.invoiceId }
  });
if (!invoice) throw new Response(‘Not Found’, { status: 404 });
return json({ invoice });
}

The Secure Implementation

The fix involves moving authorization from the application logic into the data layer. Instead of fetching a resource and then checking permissions, you must include the authenticated user's ID (derived from a secure, server-side session) directly in the database query's 'where' clause. This ensures that even if an attacker guesses a valid UUID/ID, the database returns null because the 'userId' constraint fails. Always return a generic 404 Not Found rather than a 403 Forbidden to prevent attackers from confirming the existence of resources they don't own.

export async function loader({ request, params }: LoaderFunctionArgs) {
  // 1. Authenticate the user via session
  const userId = await requireUserId(request);
// 2. SECURE: Enforce ownership at the database query level
const invoice = await db.invoice.findFirst({
where: {
id: params.invoiceId,
userId: userId // Predicate ensures user can only see their own data
}
});
// 3. Return 404 to prevent ID enumeration/probing
if (!invoice) throw new Response(‘Not Found’, { status: 404 });
return json({ invoice });
}