Broken Access Control in Sinatra with Bearer Tokens
Broken Access Control in Sinatra with Bearer Tokens — how this specific combination creates or exposes the vulnerability
Broken Access Control is an OWASP API Top 10 category that often manifests in Sinatra services that rely on Bearer Tokens without enforcing authorization checks on every request. In Sinatra, routes are typically defined with lightweight patterns, and it is easy to protect only a subset of endpoints or to apply token validation inconsistently. When Bearer Tokens are accepted but not validated for scope, role, or tenant boundaries, attackers can manipulate URLs or HTTP methods to access other users’ resources.
Consider a Sinatra app that uses bearer_auth helper for token validation but applies it selectively. If a developer protects only sensitive routes and forgets to secure an endpoint like /users/:user_id, an authenticated user can change the :user_id parameter to access or modify another user’s data. This is a classic BOLA/IDOR issue, and it is compounded when token validation does not include claims-based authorization such as scopes or roles. For example, a token with read-only scopes might still invoke write endpoints if route-level protections are missing or misconfigured.
Another common pattern is using before filters in Sinatra to validate Bearer Tokens. If the before block sets current_user but does not enforce authorization on each sensitive operation, or if it fails to reject requests when the token lacks required claims, the API surface remains vulnerable. Attackers can probe endpoints with valid tokens that lack necessary permissions, leveraging BFLA/Privilege Escalation to perform actions beyond their intended rights. The risk is higher when token introspection or validation logic is inconsistent across routes, or when middleware does not enforce tenant isolation based on token claims.
Input validation also interacts with access control flaws. An endpoint that accepts an ID parameter without strict type or format checks can be targeted with malformed or unexpected values to bypass reference checks. Combined with weak Bearer Token validation, this makes it easier to exploit IDOR patterns. For instance, numeric IDs can be incremented sequentially to enumerate other resources, and if the API does not verify that the requested resource belongs to the authenticated subject, the attack succeeds.
Compliance mappings such as OWASP API Top 10 (2023) classify these issues under Broken Access Control. PCI-DSS, SOC2, and GDPR also require that access to personal data be limited to authorized subjects only. middleBrick scans detect these patterns by correlating authentication findings with authorization checks across endpoints, highlighting missing scope enforcement, inconsistent before filters, and parameter-level authorization gaps.
Bearer Tokens-Specific Remediation in Sinatra — concrete code fixes
To remediate Broken Access Control in Sinatra when using Bearer Tokens, enforce authorization consistently on every route, validate token claims for scope and roles, and ensure resource ownership checks are performed server-side. Below are concrete, working examples that demonstrate secure patterns.
1. Centralized token validation with claims-based authorization
Use a before filter to validate the Bearer Token on every request and extract authorization claims. Then, apply per-route checks to enforce scopes or roles.
require 'sinatra'
require 'json'
require 'net/http'
helpers do
def validate_bearer_token(token)
# Replace with your auth provider introspection or JWT verification
uri = URI('https://auth.example.com/introspect')
req = Net::HTTP::Post.new(uri, { 'Content-Type' => 'application/x-www-form-urlencoded' })
req.basic_auth('client_id', 'client_secret')
req.body = "token=#{token}"
res = Net::HTTP.start(uri.hostname, uri.port, use_ssl: true) { |http| http.request(req) }
if res.code.to_i == 200 && JSON.parse(res.body)['active']
JSON.parse(res.body)
else
nil
end
end
def require_scope(required_scope)
unless current_user['scopes']&.include?(required_scope)
halt 403, { error: 'insufficient_scope', message: 'Missing required scope' }.to_json
end
end
def ensure_owns_resource(owner_id)
halt 403, { error: 'forbidden', message: 'Access denied to resource' }.to_json unless current_user['sub'] == owner_id
end
end
before do
content_type :json
auth_header = request.env['HTTP_AUTHORIZATION']
if auth_header && auth_header.start_with?('Bearer ')
token = auth_header.split(' ').last
@current_user = validate_bearer_token(token)
end
halt 401, { error: 'unauthorized', message: 'Missing or invalid token' }.to_json unless @current_user
end
get '/users/:user_id' do
ensure_owns_resource(params[:user_id])
{ user_id: params[:user_id], data: 'safe data' }.to_json
end
post '/users/:user_id/premium' do
require_scope('premium')
ensure_owns_resource(params[:user_id])
{ user_id: params[:user_id], upgraded: true }.to_json
end
2. Enforce tenant isolation with scopes or roles
If your API serves multiple tenants, encode tenant identifiers in token claims and verify them on each request.
get '/records/:record_id' do
tenant_id = @current_user['tenant_id']
record = Record.find_by(id: params[:record_id])
if record.nil? || record.tenant_id != tenant_id
halt 404, { error: 'not_found' }.to_json
end
record.to_json
end
3. Combine authentication and authorization checks
For endpoints that perform sensitive operations, require specific scopes in addition to ownership checks.
delete '/users/:user_id' do
require_scope('admin')
target_user = User.find_by(id: params[:user_id])
if target_user.nil? || target_user.admin != true
halt 403, { error: 'forbidden' }.to_json
end
target_user.destroy
{ status: 'deleted' }.to_json
end
These patterns ensure that Bearer Tokens are validated consistently, required scopes are enforced, and resource ownership is verified. middleBrick can identify missing authorization checks and scope enforcement issues by correlating authentication findings with route-level protections, helping you prioritize fixes.