Fix BOLA (Broken Object Level Authorization) in SvelteKit

BOLA (IDOR) is the bread and butter of API pwnage. In SvelteKit, it usually manifests in +page.server.js or +server.js when you trust the params object blindly. If you aren't verifying that the authenticated user context in locals actually owns the resource requested via the URL parameter, you are leaking data. Stop trusting the client; they lie.

The Vulnerable Pattern

export async function load({ params }) {
  // VULNERABLE: Only uses URL param, no ownership check
  const invoice = await db.invoice.findUnique({
    where: { id: params.id }
  });
return { invoice };
}

The Secure Implementation

The vulnerability exists because the server fetches the object based only on the ID provided in the URL. A malicious actor can increment the ID to scrape your database. The fix implements an 'Ownership Check'. We retrieve the user context from locals (populated by hooks.server.js) and include the user's ID in the database query's filter. If the record exists but doesn't belong to the user, the query returns null, and we throw a 404. This ensures authorization is performed at the object level, not just the route level.

import { error } from '@sveltejs/kit';
export async function load({ params, locals }) {
// 1. Check Authentication
if (!locals.user) throw error(401, ‘Unauthorized’);
// 2. Enforce Ownership in the Query
const invoice = await db.invoice.findFirst({
where: {
id: params.id,
ownerId: locals.user.id // Critical: Scope query to the user
}
});
// 3. Fail safe - don’t leak existence if not authorized
if (!invoice) throw error(404, ‘Invoice not found’);
return { invoice };
}