Auth Bypass in Hanami with Cockroachdb

An authentication bypass in a Hanami application backed by CockroachDB can occur when access controls are enforced at the application layer but not validated or enforced consistently at the data layer. Hanami encourages a service-oriented architecture where use cases interact directly with repositories. If a repository or query object does not enforce user-context scoping, an attacker may leverage predictable identifiers or weak authorization checks to access records that belong to other users.

With CockroachDB, which provides strong consistency and SQL compliance, queries that should be scoped to a tenant or user may inadvertently expose data when dynamic SQL fragments omit tenant_id or actor_id conditions. For example, a developer might write a repository method that builds a WHERE clause based on optional parameters. If the parameter is missing and the method falls back to a broader query, the endpoint can return records outside the intended scope. This becomes an authentication bypass when the endpoint relies on the caller to enforce authorization, while the database returns data the caller should not see.

Common root causes include missing row-level security predicates, inconsistent use of current_user values across services, and dynamic SQL construction that omits tenant or ownership filters. In a Hanami app, this can manifest as a use case that loads a record by ID without verifying that the record’s user_id matches the authenticated subject’s identifier. CockroachDB’s SQL engine will return the row if the ID exists and the query does not filter by tenant or user, even if the application believes authorization was applied earlier.

Consider a Hanami endpoint that retrieves a user profile by ID via a repository. If the route uses an ID supplied by the client and the repository method does not intersect the requested ID with the current user’s ID, an attacker can enumerate IDs and access other users’ profiles. Because CockroachDB returns results deterministically, the absence of a server-side enforcement mechanism means the database will not prevent the unauthorized read on its own. The bypass is not a flaw in CockroachDB but a design flaw in how the application constructs queries and applies authorization checks.

Real-world attack patterns mirror the OWASP API Top 10 Broken Object Level Authorization (BOLA), mapped further to PCI-DSS and SOC2 controls. An unauthenticated or low-privilege attacker can exploit missing scope checks to view, modify, or delete sensitive records. middleBrick scans detect such authorization gaps by correlating OpenAPI paths and parameters with runtime behavior, highlighting endpoints where object-level constraints are missing or inconsistent.

Remediation centers on enforcing ownership or tenant scope at the repository and query level, ensuring every data access includes the subject identifier. In Hanami, define a base repository that injects the current user’s ID or tenant ID into queries, and require all derived repositories to use it. Combine this with explicit SQL conditions in CockroachDB statements so that row-level filtering is guaranteed by the database layer.

Example: a profile repository that scopes to the current user. Instead of a generic find_by_id, use a method that requires user_id and validates ownership before returning data.

require "hanami/repository"

class ProfileRepository
  include Hanami::Repository

  def for_user(user_id)
    profiles.where(user_id: user_id)
  end

  def find_by_id_for_user(profile_id, user_id)
    for_user(user_id).where(id: profile_id).one
  end
end

In your use case, call the scoped method with the authenticated subject’s ID. This ensures that even if an attacker manipulates the ID parameter, the database query includes the user_id filter.

class ShowProfile
  def initialize(profile_repo)
    @profile_repo = profile_repo
  end

  def call(profile_id, user_id)
    profile = @profile_repo.find_by_id_for_user(profile_id, user_id)
    # proceed only if profile is not nil
    # ...
  end
end

For CockroachDB, prefer parameterized queries and avoid string interpolation to prevent SQL injection and ensure predicate correctness. Define a helper method that always adds tenant_id or user_id to the WHERE clause.

class TenantRepository
  include Hanami::Repository

  def for_tenant(records)
    records.where(tenant_id: current_tenant_id)
  end

  def find_own(id, tenant_id)
    for_tenant(records).where(id: id).one
  end

  private

  def current_tenant_id
    # derive from request context, thread-local, or session
    Thread.current[:tenant_id]
  end
end

When using associations, ensure join queries also include scope conditions. For example, fetching a user’s posts should intersect the user_id in the join.

class UserRepository
  include Hanami::Repository
  associations do
    has_many :posts
  end

  def user_with_posts(user_id)
    users = repository[:users].where(id: user_id)
    users.with(:posts).map do |user|
      # posts are already scoped to user_id via association query
      user
    end
  end
end

In the Hanami CLI, structure your commands to require user context, and in the dashboard, monitor for endpoints that lack scope parameters. The Pro plan’s continuous monitoring can alert you when new endpoints are introduced without proper authorization checks, while the CLI can be integrated into scripts to enforce repository patterns. middleBrick’s findings map to OWASP BOLA and can guide you to the exact endpoints and repository methods that need scoping fixes.