Broken Access Control in Echo Go with Mongodb

Broken Access Control occurs when an API fails to enforce proper authorization checks, allowing one user to access or modify another user’s resources. In an Echo Go service that uses Mongodb, this often arises when route-level permissions are missing or incorrectly applied and when queries do not scope documents to the authenticated subject.

Echo Go is a minimal HTTP framework; it does not enforce authorization by default. If handlers rely only on URL parameters or in-memory user state without re-validating ownership, attackers can change IDs in requests to access other users’ data. For example, an endpoint like /users/:id/profile might read a profile by ID without confirming the authenticated user owns that ID. Using Mongodb, an attacker can exploit this by manipulating the ID in the request to reference another document. If the backend builds queries such as bson.M{"_id": userID} without cross-checking the authenticated user’s identifier, the attacker can view or edit any profile by iterating IDs.

Role-based or scope-based authorization can also be misconfigured. Suppose the application decodes a JWT and stores roles in the context but later issues a broad Mongodb query like bson.M{} (no filter) or uses session-level caching without re-evaluating scopes. In such cases, a user with a low-privilege token might gain elevated permissions if the handler skips checks. Additionally, projection issues in Mongodb can expose sensitive fields when queries return more data than necessary, especially if the handler assumes the response is safe simply because the request path was protected.

Compounded risks appear when IDs are predictable (e.g., sequential ObjectIDs or UUIDs without ownership checks). An authenticated user can iterate through likely values and, if each request returns a 200 with data, infer existence and details of other accounts. MiddleBrick’s BOLA/IDOR checks specifically flag these patterns, correlating runtime behavior with OpenAPI paths and Mongodb query shapes to highlight missing authorization boundaries. This combination of an unguarded Echo Go route and an unconstrained Mongodb query creates a clear path for unauthorized data access or manipulation.

Remediation centers on enforcing ownership or role checks in every handler and ensuring Mongodb queries always include the subject identifier. Below are concrete, idiomatic examples that you can adopt in Echo Go services.

1. Scoped queries with authenticated user ID

Always include the authenticated user’s ID in the query filter. Do not rely on URL parameters alone. Example using the official MongoDB Go driver:

import ("go.mongodb.org/mongo-driver/bson"
        "go.mongodb.org/mongo-driver/mongo")

// getUserProfile safely retrieves a profile owned by the authenticated user.
func getUserProfile(c echo.Context) error {
    userID := c.Get("user_id").(string) // authenticated subject from JWT/session
    var profile Profile
    filter := bson.M{"_id": userID} // scope to the authenticated user
    err := coll.FindOne(c.Request().Context(), filter).Decode(&profile)
    if err != nil {
        if err == mongo.ErrNoDocuments {
            return echo.NewHTTPError(http.StatusNotFound, "profile not found")
        }
        return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
    }
    return c.JSON(http.StatusOK, profile)
}

2. Role and scope validation before operations

Check claims such as roles or scopes from the JWT before performing write or sensitive read operations. Example with a PATCH update that ensures the user can only edit their own document:

import "go.mongodb.org/mongo-driver/bson"

// updateUserEmail requires the subject to match the document ID.
func updateUserEmail(c echo.Context) error {
    userID := c.Get("user_id").(string)
    var req struct {
        Email string `json:"email" validate:"email"`
    }
    if err := c.Bind(&req); err != nil {
        return echo.NewHTTPError(http.StatusBadRequest, "invalid request")
    }
    filter := bson.M{"_id": userID}
    update := bson.M{"$set": bson.M{"email": req.Email}}
    result, err := coll.UpdateOne(c.Request().Context(), filter, update)
    if err != nil {
        return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
    }
    if result.MatchedCount == 0 {
        return echo.NewHTTPError(http.StatusForbidden, "you do not have permission to update this resource")
    }
    return c.NoContent(http.StatusOK)
}

3. Avoid broad queries and unsafe projections

Do not use empty filters or projections that return sensitive fields. Always scope and explicitly include required fields:

// safeList returns only public fields for profiles the user is allowed to see.
func safeList(c echo.Context) error {
    userID := c.Get("user_id").(string)
    cursor, err := coll.Find(c.Request().Context(),
        bson.M{"_id": bson.M{"$ne": userID}}, // example: exclude self if needed
        options.Find().SetProjection(bson.M{"username": 1, "publicBio": 1, "_id": 1}),
    )
    if err != nil {
        return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
    }
    defer cursor.Close(c.Request().Context())
    var results []bson.M
    if err = cursor.All(c.Request().Context(), &results); err != nil {
        return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
    }
    return c.JSON(http.StatusOK, results)
}

4. Validate ObjectIDs and avoid injection via user input

When using string IDs, validate format before building queries. If you use primitive.ObjectID, ensure the input is convertible to prevent errors or injection-like behavior:

import ("go.mongodb.org/mongo-driver/bson/primitive")

func getSafe(c echo.Context) error {
    userID := c.Param("id")
    objID, err := primitive.ObjectIDFromHex(userID)
    if err != nil {
        return echo.NewHTTPError(http.StatusBadRequest, "invalid id format")
    }
    // Even after conversion, scope by authenticated subject.
    filter := bson.M{"_id": objID, "owner_id": c.Get("user_id")}
    var doc Document
    if err := coll.FindOne(c.Request().Context(), filter).Decode(&doc); err != nil {
        if err == mongo.ErrNoDocuments {
            return echo.NewHTTPError(http.StatusNotFound, "not found")
        }
        return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
    }
    return c.JSON(http.StatusOK, doc)
}

5. Use RBAC or scopes and enforce at the database layer

For multi-tenant or role-based setups, embed tenant or role in the document and include it in every filter. This ensures that even if an ID is guessed, the document will not be returned unless the subject’s tenant/role matches:

type Document struct {
    ID       primitive.ObjectID `bson:"_id"`
    TenantID string             `bson:"tenant_id"`
    Data     string             `bson:"data"`
}

func getByTenant(c echo.Context) error {
    userID := c.Get("user_id").(string)
    tenant := c.Get("tenant").(string)
    filter := bson.M{
        "_id":       userID,
        "tenant_id": tenant,
    }
    var doc Document
    if err := coll.FindOne(c.Request().Context(), filter).Decode(&doc); err != nil {
        if err == mongo.ErrNoDocuments {
            return echo.NewHTTPError(http.StatusNotFound, "not found")
        }
        return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
    }
    return c.JSON(http.StatusOK, doc)
}

These patterns ensure that authorization is verified per request, the subject is tied to every Mongodb filter, and sensitive data is not unintentionally exposed. Combined with API security scanning, they reduce the likelihood of Broken Access Control in Echo Go services backed by Mongodb.