Skip to Content

How do you combine IDOR checks with OAuth2 scopes on a single FastAPI route?

Category: Backend & API

Answer

IDOR (Insecure Direct Object Reference) is when a client supplies an ID they shouldn’t own; scope enforcement is who you are. The route should check both: Security(scopes=["messages:read"]) AND if resource.owner_id != current_user.id. Missing either leaks data.

Concrete examples from the fca project context

Example 1

Get /messages/{id} loads the message, asserts owner_id == sub, then projects to MessageResponse.

Example 2

scopes=[“messages:read”] rejects users without the permission, even if they find the route.

Example 3

extra=“ignore” on the response model lets you add fields without breaking older clients.

Data flow / flow chart

Bearer JWT -> scope check -> owner check -> project to typed response
  (rejecting 401 or 403 with intent-revealing messages)

Takeaway

Always combine scope (who you are) with ownership (what you own). One without the other leaks.