Bola Idor in Rocket with Mutual Tls

Broken Object Level Authorization (BOLA) is an API security risk where an attacker can access or modify objects they should not have access to, typically by tampering with object identifiers such as IDs in URLs or headers. Rocket, when configured with Mutual TLS (mTLS), uses client certificates to authenticate connections at the transport layer. While mTLS verifies that a request originates from a trusted client, it does not by itself enforce object-level permissions. This creates a scenario where an authenticated client with a valid certificate can still perform actions on resources that belong to other users or roles, because authorization checks are applied after the TLS handshake completes.

In a Rocket application using mTLS, the client certificate is often mapped to a user identity (for example, via serial number or subject). If the API endpoints only verify the presence of a valid certificate and skip per-object authorization, BOLA becomes possible. For example, an authenticated user might change a numeric resource ID in a GET request from /users/123 to /users/124. With mTLS, the server accepts the request as authenticated, but if route guards or object ownership checks are missing, the server may return data for user 124 to user 123. This is a classic BOLA issue, sometimes called IDOR, where the lack of proper authorization at the object level overrides the transport-layer assurance provided by mTLS.

Rocket’s routing and request guards can inadvertently expose BOLA when mTLS is used for authentication but authorization logic is inconsistent or applied only at the route level. For instance, if you authenticate via client certificates and then fetch a record directly by ID without verifying that the authenticated principal owns that record, the API surface remains vulnerable. Attackers can probe predictable IDs even though mTLS prevents unauthenticated access. The combination of strong transport authentication and weak or missing object-level checks can lead to data exposure across tenant boundaries or privilege escalation across roles. This highlights the importance of coupling mTLS with explicit, per-request authorization checks that validate object ownership and scope.

To mitigate BOLA in Rocket when using mTLS, you must enforce object-level authorization in addition to transport authentication. This means verifying that the authenticated principal (derived from the client certificate) has permission to access the specific resource requested. Below are concrete code examples showing how to integrate mTLS with per-request authorization in Rocket.

First, configure Rocket to require client certificates and extract identity from the certificate. Then, implement a fairing or request guard that checks ownership or role-based permissions before allowing access to a resource.

// Rocket 0.5+ example using TLS and request guards
use rocket::http::Status;
use rocket::request::{self, FromRequest, Request};
use rocket::tokio::sync::Mutex;
use std::sync::Arc;

// Simulated database or permission store
struct Db {
    // Map user_id -> allowed resource_ids
    permissions: Arc<std::collections::HashMap<String, Vec<u64>>>,
}

// Identity derived from client certificate
struct User {
    id: String,
}

#[rocket::async_trait]
impl<'_> FromRequest<'_, > for User {
    type Error = ();

    async fn from_request(req: &Request<'>) -> request::Outcome<Self, Self::Error> {
        // In practice, extract the peer certificate and map it to a user.
        // Here we simulate that extraction for clarity.
        if let Some(cert_serial) = req.headers().get_one("X-Client-Cert-Serial") {
            // Fetch or lookup user from a shared state (e.g., DB or cache)
            let db = req.rocket().state::<Arc<Db>>().unwrap();
            // Simple check: if user exists in permissions, treat as authenticated
            if db.permissions.contains_key(cert_serial) {
                return request::Outcome::Success(User { id: cert_serial.to_string() });
            }
        }
        request::Outcome::Error((Status::Unauthorized, ()))
    }
}

// Protected resource endpoint with object-level check
#[rocket::get("/users/<id>")]
async fn get_user(user: User, id: u64, db: &rocket::State<Arc<Db>>) -> Result<String, Status> {
    // BOLA mitigation: verify that the authenticated user is allowed to view this id
    let allowed = db.permissions.get(&user.id)
        .map(|allowed_ids| allowed_ids.contains(&id))
        .unwrap_or(false);
    if !allowed {
        return Err(Status::Forbidden);
    }
    Ok(format!(