Fix BOLA (Broken Object Level Authorization) in Spring WebFlux

BOLA (Broken Object Level Authorization), the industry's favorite IDOR evolution, is the apex predator of API vulnerabilities. In the non-blocking world of Spring WebFlux, developers often mistake 'reactive' for 'secure.' If your controller fetches a resource solely based on a path variable without verifying the authenticated principal's ownership, you're leaking data. In a reactive pipeline, authorization must be baked into the stream, not treated as a side-effect.

The Vulnerable Pattern

@GetMapping("/api/v1/orders/{orderId}")
public Mono getOrder(@PathVariable String orderId) {
    // VULNERABLE: Any authenticated user can access any orderId
    return orderRepository.findById(orderId);
}

The Secure Implementation

The fix enforces 'Identity-to-Resource' binding. First, we extract the authenticated principal from the 'ReactiveSecurityContextHolder'. Instead of trusting the 'orderId' from the request, we chain a '.filter()' operation within the Mono stream to validate that the resource's 'ownerId' matches the principal's ID. For hardened production environments, this check should be pushed down to the database layer (e.g., 'orderRepository.findByIdAndOwnerId(orderId, currentUserId)') to prevent unnecessary data retrieval and ensure the query itself is scoped to the user.

@GetMapping("/api/v1/orders/{orderId}")
public Mono> getOrder(@PathVariable String orderId) {
    return ReactiveSecurityContextHolder.getContext()
        .map(SecurityContext::getAuthentication)
        .flatMap(auth -> {
            String currentUserId = auth.getName();
            return orderRepository.findById(orderId)
                .filter(order -> order.getOwnerId().equals(currentUserId))
                .map(ResponseEntity::ok)
                .switchIfEmpty(Mono.error(new ResponseStatusException(HttpStatus.FORBIDDEN, "Access Denied")));
        });
}