🧪 Worked Example Lab: API Review and Tenant Boundary Failure

Intro: This lab trains reviewers to spot the difference between route authentication and object-level authorization. It is deliberately simple because most real incidents begin with simple assumptions that nobody challenged early.

What this page includes

• a short scenario and flawed API design
• what a good reviewer should notice
• example findings and recommended fixes
• how to score the exercise

Scenario

A product team ships a new export endpoint:

GET /api/v1/exports/{export_id}
Authorization: Bearer <user token>

The route requires authentication. The service checks that the caller is logged in, then returns the export object by export_id.

What the reviewer should notice

• authentication exists, but ownership of the export object is not proven;
• export identifiers may be guessable, leaked, or re-used across tenants;
• the endpoint may expose bulk sensitive data, making the impact much worse than a normal object read;
• download and retention policy likely matter as much as the API path itself.

Example findings

1. Broken object-level authorization for export retrieval.
2. Tenant-boundary risk because export scope is not re-checked.
3. Weak download governance if signed URLs or direct download links are long-lived.
4. Low detective maturity if cross-tenant access failures are not logged or alerted.

What good remediation looks like

• enforce ownership and tenant scope server-side for every retrieval;
• bind export objects to both tenant and requester context where appropriate;
• use short-lived signed downloads if direct object storage access is involved;
• notify users or admins for high-risk exports.

Score the exercise

Related pages

• API Authentication and Authorization
• Business Logic Abuse Review Playbook

Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.