Invoice Download

Medium+100 XPA01:2021 Broken Access ControlCWE-639

BOLAIDORAuthorizationFinance

Scenario

A billing service exposes a GET /invoices/:id endpoint. Clients pass their user ID alongside the invoice ID they wish to retrieve.

The handler fetches the invoice by ID and returns it immediately — no ownership check is performed.

Any authenticated user can download any invoice by guessing or enumerating IDs, leaking order amounts, itemised products, and billing addresses of other customers.

Financial documents are high-value targets. A single missing ownership check on an invoice endpoint can expose transaction history, pricing data, and shipping addresses of every customer.

Your Tasks

Fix getInvoice so it checks that the invoice's ownerId matches the requestingUserId.
Throw 'Forbidden' when the requester does not own the invoice.
Throw 'Not found' when the invoice does not exist.
Return the full invoice object for legitimate owners.

Examples

Example 1 — Blocked — wrong owner

getInvoice('alice', 'inv-bob-1', db)
// inv-bob-1 belongs to bob
// → throws Error('Forbidden')

Example 2 — Allowed — correct owner

getInvoice('bob', 'inv-bob-1', db)
// → returns { id: 'inv-bob-1', ownerId: 'bob', ... }

Constraints

›Only edit the function body — do not change the function signature.
›Throw exactly 'Forbidden' and 'Not found'.
›No external packages — db is a plain in-memory array.

Hint

References

CWE-639: Authorization Bypass Through User-Controlled Key OWASP API Security Top 10 — API1:2023 Broken Object Level Authorization OWASP API Security Cheat Sheet

solution.js

Ln 1, Col 1│UTF-8│JavaScript

Sandbox ready

0/0/0not run