Fix Broken User Authentication in Blitz.js

Blitz.js abstracts session management, but developers often fail at the authorization layer. Broken authentication in this framework typically manifests through unprotected RPC calls where the mutation or query assumes the presence of a valid session without explicitly validating it via the Blitz middleware. If you aren't enforcing session constraints at the resolver level, you're vulnerable to session hijacking and IDOR.

The Vulnerable Pattern

import { resolver } from "@blitzjs/rpc";
import db from "db";
export default resolver.pipe(
async ({ id, …data }) => {
// VULNERABLE: No session validation.
// Any unauthenticated user can hit this RPC endpoint and modify any user record.
const user = await db.user.update({ where: { id }, data });
return user;
}
);

The Secure Implementation

The exploit involves a direct call to the RPC endpoint bypassing client-side guards. The fix utilizes `resolver.authorize()` which acts as a guardrail, ensuring the `ctx.session` is populated and valid. Crucially, we move beyond simple authentication by implementing an ownership check: comparing the input `id` against `ctx.session.userId`. This prevents an attacker from supplying a victim's ID in the payload while authenticated with their own low-privileged account.

import { resolver } from "@blitzjs/rpc";
import db from "db";
import { AuthorizationError } from "blitz";
export default resolver.pipe(
resolver.authorize(), // Enforce valid session
async ({ id, …data }, ctx) => {
// SECURE: Cross-reference the requested ID with the session’s userId
if (id !== ctx.session.userId) {
throw new AuthorizationError(“You do not have permission to modify this resource.”);
}
const user = await db.user.update({
  where: { id: ctx.session.userId },
  data,
});
return user;
}
);