Broken Access Control in Loopback (Javascript)
Broken Access Control in Loopback with Javascript
Broken Access Control in a Loopback application built with Javascript occurs when authorization checks are missing, incomplete, or bypassed, allowing a user to access or modify resources that should be restricted. Loopback is a Node.js framework that exposes models and REST endpoints quickly, but without explicit access controls it is easy to expose sensitive data or operations to unauthenticated or low-privileged users.
Consider an API exposing a Patient model where each record belongs to a specific clinic. If the model’s common/models/patient.json does not define a strict acls list, and the controller does not enforce scope-based permissions, an authenticated user can change the clinicId in the request to access other clinics’ patients. This is a BOLA/IDOR pattern and is one of the checks middleBrick runs as part of its 12 parallel security checks.
In JavaScript, the risk is amplified when developers rely on default remote methods or auto-generated endpoints. For example, a scaffolded Patient model might expose find, findById, create, and updateById without filtering by the user’s clinic. If the model is also exposed publicly with http: { path: '/api/patients', public: true }, unauthenticated or low-privilege users can enumerate and read data, resulting in Data Exposure.
middleBrick validates such scenarios by checking unauthenticated endpoints and inspecting the effective permissions. It maps findings to frameworks such as OWASP API Top 10 A01:2023 — Broken Access Control and provides remediation guidance. For instance, without proper property-level authorization, an attacker might supply a crafted request to retrieve or update fields they should not see or change.
Javascript-Specific Remediation in Loopback
To fix Broken Access Control in Loopback with Javascript, define strict ACLs on models and enforce contextual scoping in both model definitions and custom remote methods. Use role-based checks and ensure filters are applied server-side before returning data.
1. Define ACLs in model JSON
In common/models/patient.json, declare explicit acls to restrict who can read, write, or modify instances. This is the first line of defense in JavaScript Loopback apps.
{
"name": "Patient",
"base": "PersistedModel",
"idInjection": true,
"options": {
"validateUpsert": true
},
"properties": {
"clinicId": { "type": "string", "required": true },
"ssn": { "type": "string", "protected": true }
},
"acls": [
{
"accessType": "*",
"principalType": "ROLE",
"principalId": "$unauthenticated",
"permission": "DENY"
},
{
"accessType": "READ",
"principalType": "ROLE",
"principalId": "$authenticated",
"permission": "ALLOW",
"property": "find"
},
{
"accessType": "EXECUTE",
"principalType": "ROLE",
"principalId": "$authenticated",
"permission": "ALLOW",
"property": "searchByClinic"
}
]
}
2. Scope queries by clinic in model definition
Use a scope to ensure that any automatic find includes a filter on clinicId. In common/models/patient.js, define a scope and apply it by default.
module.exports = function(Patient) {
const scope = {
where: {
clinicId: Patient.app.get('currentClinicId') // injected per request
}
};
Patient.observe('access', function getClinicScope(ctx, next) {
if (ctx.query && ctx.query.where) {
ctx.query.where.clinicId = scope.where.clinicId;
} else {
ctx.query.where = { clinicId: scope.where.clinicId };
}
next();
});
};
3. Enforce ownership in custom remote methods
If you expose custom remote methods, validate ownership or clinic membership inside the method. Avoid relying on client-supplied IDs for access decisions.
Patient.searchByClinic = function(clinicId, filter, cb) {
const userId = Patient.app.get('userIdResolver')(); // e.g., from request context
// Ensure the requesting user belongs to the clinic
Patient.app.models.ClinicMembership.findOne({
where: { userId, clinicId }
}, function(err, membership) {
if (err || !membership) {
return cb(new Error('Unauthorized'));
}
const where = { clinicId: clinicId };
filter.where = filter.where ? { ...filter.where, ...where } : where;
Patient.find(filter, cb);
});
};
Patient.remoteMethod('searchByClinic', {
accepts: [{ arg: 'clinicId', type: 'string' }, { arg: 'filter', type: 'object' }],
returns: { arg: 'patients', type: ['Patient'] },
http: { path: '/search-by-clinic', verb: 'get' }
});
4. Use middleware to inject request-scoping
Leverage Loopback’s middleware to attach user and clinic context before any model operation runs. This ensures consistent scoping across built-in and custom endpoints.
module.exports = function(app) {
const models = app.models;
models.Patient.beforeRemote('**', function(ctx, instance, next) {
const clinicId = ctx.req && ctx.req.accessToken ? ctx.req.accessToken.clinicId : null;
if (clinicId) {
if (!ctx.args.where) ctx.args.where = {};
ctx.args.where.clinicId = clinicId;
}
next();
});
};
By combining ACLs, scoping observers, and middleware checks, you reduce the attack surface for Broken Access Control in JavaScript Loopback applications. middleBrick’s checks for BOLA/IDOR, Property Authorization, and Input Validation help verify that these controls are effective in practice.