Just because a user is authenticated doesn't mean they should access everything in your API.
The Common Mistake that many developers make is doing this :
public function show(int $id)
{
$order = Order::findOrFail($id);
return response()->json($order);
}
The Problem:
If User A can access /api/orders/15, what stops User B (who is also authenticated) from accessing the same endpoint and viewing User A's order?
Nothing. And that's a critical security flaw.
This is BOLA (Broken Object Level Authorization) — currently #1 in the OWASP API Security Top 10.
The Solution:
Always verify that the authenticated user is authorized to access the specific resource. In Laravel, you have clean options:
Option 1: Use Policies ✅
class OrderPolicy
{
public function view(User $user, Order $order)
{
return $order->user_id === $user->id;
}
}
public function show(Order $order)
{
$this->authorize('view', $order);
return $order;
}
Option 2: Scope via Relationships ✅
public function show($id)
{
$order = auth()->user()
->orders()
->findOrFail($id);
return $order;
}
The Golden Rule:
Never trust authentication alone. Always implement proper authorization.
Every endpoint that returns user-specific data should verify ownership or permissions — no exceptions.