ChallengeMediumTypeScript

Admin Financial Report Access

Scenario

A secured endpoint that returns detailed financial reports to authenticated admins, gated to each organization's own data.

Business expectation

Authenticated admins may only view financial reports that belong to their own organization. A valid admin token from organization A must never return a report owned by organization B. Report IDs are sequential integers and can be enumerated.

Security expectations

Internal error details — including database error messages, query strings, and stack traces — must never be sent to the client. On a database failure, the response must contain only a generic error message.

Bug report

On 2025-03-04 a penetration test found that an admin could retrieve other organizations' reports by iterating reportId. On 2025-03-06 staging showed a forced database error returned the raw connection error string, exposing the hostname and a credential fragment.

44 lines

src/admin/reportAccess.ts

Returns a financial report for the authenticated admin's organization.

// GET /admin/reports/:reportId — returns a financial report for an authenticated admin.

import type { Request, Response } from "express";

import { db } from "./db";

export interface AuthenticatedAdmin {

  adminId: string;

  orgId: string;

// Shapes the successful API response.

function reportPayload(report: unknown) {

  return { report };

/**

 * Returns the financial report with the given ID.

 * Access control: the report must belong to the same organization as the

 * authenticated admin. Reports from other organizations must not be returned —

 * respond with 404 as if the report does not exist.

 * Errors: a database failure must return a safe 500 response without

 * disclosing internal error details to the caller.

*/

// Returns one report for the authenticated admin.

export async function getReport(

  req: Request & { user: AuthenticatedAdmin },

  res: Response,

): Promise<void> {

  const { reportId } = req.params;

  try {

    const report = await db.reports.findById(reportId);

    if (!report) {

      res.status(404).json({ error: "Report not found" });

      return;

    res.status(200).json(reportPayload(report));

  } catch (err) {

    res.status(500).json({ error: (err as Error).message });

No findings yet

Click on a line number in the code to add a finding

You need to log in or sign up to submit.

You can inspect the challenge for free, but AI review and results require an account.

Sign inorSign up