How to Prevent IDOR Vulnerabilities in Next.js API Routes
Imagine a user logging into your app and seeing another user’s private data. Authentication works, but authorization fails. This is an IDOR vulnerability—a critical security flaw where users access unauthorized resources by manipulating direct object references like IDs.
Authentication vs. Authorization
Authentication answers “Who are you?” (e.g., login). Authorization answers “What can you access?” (e.g., data ownership checks). IDOR occurs when authorization is missing, even if authentication is valid.
What is an IDOR Vulnerability?
An IDOR vulnerability arises when an API fetches a resource (e.g., /api/users/123) without verifying the requester owns it. For example:
GET /api/users/123
If the backend queries db.user.findUnique({ where: { id: '123' } }) without ownership checks, any authenticated user can modify the URL to access others’ data.
The Vulnerable Pattern in Next.js
Consider this Next.js API route:
export async function GET(req, { params }) {
const user = await db.user.findUnique({
where: { id: params.id },
});
return NextResponse.json({ user });
}
This code fetches a user by ID from the URL but lacks session validation or ownership checks. A malicious user could change id to access others’ data.
How to Handle IDOR in Next.js
1. **Verify Authentication**: Use getServerSession to confirm the user is logged in.
export async function requireSession() {
const session = await getServerSession(authOptions);
return session?.user?.id ? session : null;
}
2. **Check Ownership**: Compare the session user ID with the requested ID.
export async function GET(req, { params }) {
const session = await requireSession();
if (!session) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
if (session.user.id !== params.id) {
return NextResponse.json({ error: 'Forbidden' }, { status: 403 });
}
const user = await db.user.findUnique({ where: { id: params.id } });
return NextResponse.json({ user });
}
Design Safer Endpoints
- Use
/api/mefor user-specific data instead of/api/users/[id]. - Validate session IDs and request parameters against database records.
- Log unauthorized access attempts for monitoring.
Mental Model for API Design
Always ask: “Does this user have permission to access this resource?” before returning data. Treat every request as potentially malicious.
Conclusion
Preventing IDOR vulnerabilities requires combining authentication with strict authorization checks. By verifying ownership in Next.js API routes, you protect user data and align with OWASP security best practices. Start by auditing your endpoints for unvalidated direct object references.
FAQs
How do I fix an IDOR vulnerability in Next.js?
Implement ownership checks by comparing the session user ID with the requested resource ID in your API routes.
Why is authentication alone not enough to prevent IDOR?
Authentication confirms identity, but authorization ensures the user owns the requested resource. IDOR occurs when authorization is missing.
Can I use NextAuth.js to secure Next.js APIs?
Yes. Use getServerSession to validate sessions and enforce ownership checks in your API routes.
What is object-level authorization?
Object-level authorization ensures users can only access resources they explicitly own, like their own user data.
How do I design secure API endpoints in Next.js?
Use /api/me for user-specific data, validate session IDs, and avoid exposing direct object references in URLs.








