Fix BOLA (Broken Object Level Authorization) in Roda

BOLA (Broken Object Level Authorization) is the most prevalent vulnerability in modern API architectures. In Roda, this occurs when the routing tree handles resource IDs from the request without verifying that the authenticated user has the rights to access that specific object. If your code assumes that knowing an ID equals having permission to view it, you're leaking sensitive data to any authenticated attacker with a script.

The Vulnerable Pattern

class App < Roda
  plugin :json
  route do |r|
    r.on "api/v1/documents" do
      r.is Integer do |doc_id|
        # VULNERABLE: Direct object reference without ownership check
        @doc = Document[doc_id]
    r.get do
      @doc.to_json
    end
  end
end
end
end

The Secure Implementation

The fix involves moving from global lookups to scoped lookups. Instead of querying the 'Document' model directly, we query the 'documents' association belonging to the 'current_user'. This ensures that the database-level WHERE clause includes the 'user_id' constraint. If an attacker attempts to access a 'doc_id' belonging to another user, the query returns null, and the application returns a 404. This prevents ID enumeration and unauthorized data access by design.

class App < Roda
  plugin :json
  route do |r|
    # Assume 'current_user' is populated via JWT or session middleware
    r.on "api/v1/documents" do
      r.is Integer do |doc_id|
        # SECURE: Scope the lookup through the authenticated user's association
        @doc = current_user.documents_dataset.where(id: doc_id).first
    if @doc.nil?
      response.status = 404
      r.halt
    end

    r.get do
      @doc.to_json
    end
  end
end
end
end