Fix BOLA (Broken Object Level Authorization) in Sails

BOLA (Broken Object Level Authorization) is the #1 vulnerability in modern APIs. In Sails.js, it manifests when you trust the user-supplied ID in the URL without verifying that the authenticated user actually owns that resource. Attackers simply iterate through IDs to scrape your entire database. To kill BOLA, you must enforce ownership at the database query level.

The Vulnerable Pattern

// api/controllers/OrderController.js
module.exports = {
  findOne: async function (req, res) {
    // VULNERABLE: Trusting the ID parameter directly.
    // An attacker can change /order/123 to /order/124 and see other users' data.
    const order = await Order.findOne({ id: req.param('id') });
    if (!order) return res.notFound();
    return res.json(order);
  }
};

The Secure Implementation

The fix involves 'Query Scoping'. Instead of fetching a record solely by its primary key, you inject the requester's identity (from a verified JWT or session) into the 'where' clause. If the record exists but belongs to another user, the query returns null, effectively neutralizing the authorization bypass. For a scalable architecture, implement this logic in a Sails Policy (e.g., api/policies/isOwner.js) to keep your controllers DRY and ensure consistent security across all blueprints.

// api/controllers/OrderController.js
module.exports = {
  findOne: async function (req, res) {
    // SECURE: Scoping the query by both ID and the authenticated user's ID.
    const order = await Order.findOne({
      id: req.param('id'),
      owner: req.session.userId
    });
if (!order) {
  // Return 404 or 403 to prevent ID enumeration/leaking existence
  return res.forbidden('You do not have permission to view this resource.');
}

return res.json(order);
}
};