Bola Idor in Adonisjs with Cockroachdb

Broken Object Level Authorization (BOLA) occurs when an API fails to enforce access control checks on object identifiers that are supplied by the client. In Adonisjs applications using CockroachDB, this typically manifests when route parameters such as id are used directly in database queries without verifying that the authenticated actor has permission to interact with that specific record.

AdonisJS relies on route-model binding to resolve parameters into model instances. If that binding does not scope the query by tenant or user context, an attacker can increment or modify the identifier to access another user’s data. CockroachDB, while compatible with PostgreSQL wire protocol and ORMs, does not inherently enforce row-level permissions. Therefore, responsibility falls on the application to ensure every query includes authorization constraints.

A concrete example in AdonisJS with CockroachDB might involve a route like GET /api/users/:id. If the controller does something like User.findOrFail(params.id) without checking that the authenticated user is allowed to view that record, any authenticated user can enumerate or access other users’ profiles simply by changing the numeric ID. Even if the ORM uses parameterized SQL, which protects against injection, the lack of ownership or role checks results in BOLA.

This risk is compounded when primary keys are predictable (e.g., sequential integers), as is common with CockroachDB default auto-increment behavior. Predictable IDs make it trivial for an attacker to iterate through valid identifiers. Moreover, if the API exposes endpoints that perform updates or deletions without verifying the subject of the request, the impact shifts from read-only exposure to modification or destruction of unauthorized resources.

Another scenario involves multi-tenant data isolation. If tenant identifiers are stored in CockroachDB rows but not enforced in every query, a tenant may inadvertently or maliciously access another tenant’s data by manipulating foreign key references or omitting the tenant filter. Because CockroachDB supports distributed SQL and secondary indexes, queries may execute efficiently even without tenant scoping, which can mask the absence of proper authorization checks during development.

To detect such issues, middleBrick scans unauthenticated attack surfaces and can surface BOLA-like patterns when endpoints accept object identifiers without clear authorization context. It does not assume authentication state, so it highlights endpoints where IDs are accepted without evidence of ownership or role checks, mapping findings to the OWASP API Top 10 and providing remediation guidance.

Remediation centers on ensuring every database query includes explicit authorization conditions that tie data access to the authenticated actor or tenant. In AdonisJS, this means combining route-model binding with additional checks and leveraging CockroachDB’s compatibility with PostgreSQL semantics to enforce row-level constraints.

First, avoid relying solely on params.id to fetch records. Instead, construct queries that include user or tenant identifiers. For example, if your application uses a user_id column to associate records with owners, scope the query accordingly:

import User from 'App/Models/User'
import { HttpContextContract } from '@ioc:Adonis/Core/HttpContext'

export default class UsersController {
  public async show({ params, auth }: HttpContextContract) {
    const user = await User.query()
      .where('id', params.id)
      .where('user_id', auth.user?.id)
      .firstOrFail()
    return user
  }
}

This ensures that even if params.id points to an existing row, the query returns a result only when the authenticated user’s ID matches the record’s owner. With CockroachDB, the underlying SQL will include both equality conditions, leveraging its distributed execution to return the correct row or null.

For tenant isolation, embed the tenant identifier in every query. If using a tenant_id column, apply it consistently:

import Post from 'App/Models/Post'
import { HttpContextContract } from '@ioc:Adonis/Core/HttpContext'

export default class PostsController {
  public async index({ request, auth }: HttpContextContract) {
    const posts = await Post.query()
      .where('tenant_id', auth.user?.tenantId)
      .limit(20)
      .offset(request.qs().page ? parseInt(request.qs().page) * 20 : 0)
      .exec()
    return posts
  }
}

When using relationships, eager-load and filter through the owning model rather than trusting client-supplied foreign keys. For instance, to fetch a user’s posts, start from the user model:

import User from 'App/Models/User'
import { HttpContextContract } from '@ioc:Adonis/Core/HttpContext'

export default class UsersController {
  public async showPosts({ params, auth }: HttpContextContract) {
    const user = await User.findOrFail(auth.user?.id)
    const posts = await user.related('posts').query().where('posts.id', params.postId).firstOrFail()
    return posts
  }
}

This pattern ensures that the authorization boundary is anchored to the authenticated user, and the subsequent query on the related model inherits that context. CockroachDB’s SQL compatibility means these queries translate efficiently into distributed execution plans without sacrificing correctness.

Finally, adopt a centralized policy or middleware to validate ownership before controller actions execute. Middleware can extract the object ID, fetch the record with authorization conditions, and attach it to the request, reducing duplication and ensuring consistent enforcement across routes.