Fix BOLA (Broken Object Level Authorization) in Rocket

BOLA (formerly IDOR) is the apex predator of API vulnerabilities. In the Rocket ecosystem, it manifests when a route handler accepts a resource ID (e.g., ) and fetches the object without verifying that the authenticated 'User' guard actually owns that specific resource. Authenticating the user is only half the battle; authorizing their access to the specific object is where most devs fail.

The Vulnerable Pattern

#[get("/api/v1/profile/")]
fn get_profile(id: i32, _user: AuthenticatedUser, db: &Db) -> Option> {
    // VULNERABLE: We verify the user is logged in (_user),
    // but we fetch ANY profile ID passed in the URL.
    db.profiles.find(id).map(Json)
}

The Secure Implementation

The fix moves authorization from the application logic into the data layer. By using the 'AuthenticatedUser' Request Guard, we extract the trusted user identity. We then modify the database query to include an ownership predicate ('WHERE id = ? AND owner_id = ?'). This ensures that even if an attacker guesses a valid profile ID, the database will return a 404/NotFound because the 'owner_id' constraint fails. Never trust the ID segment alone; always cross-reference it with the session context.

#[get("/api/v1/profile/")]
fn get_profile(id: i32, user: AuthenticatedUser, db: &Db) -> Result, Status> {
    // SECURE: Scope the lookup to the authenticated user's ID.
    // If the ID doesn't match the user's ownership, the query returns nothing.
    let profile = db.profiles
        .filter(owner_id.eq(user.id))
        .filter(id.eq(id))
        .first()
        .map_err(|_| Status::NotFound)?;
Ok(Json(profile))
}