SECURITY CRITICAL: API Exposes IDOR Flaw, Allowing Any User to Hijack Others' Favorites

A critical security vulnerability in a web application's API allows any authenticated user to impersonate any other user, granting unauthorized access to create, delete, and query personal favorites. The flaw, a classic Broken Object Level Authorization (BOLA/IDOR) issue, stems from a fundamental authentication bypass in the code handling user-specific data.

The vulnerability is located in the `favourites.ts` route handlers within the application's API. Instead of reading the authenticated user's ID from the verified JWT token (`req.userId`), the code incorrectly reads the `userId` parameter directly from the user-controlled request body (`req.body`). This mistake is present in three key endpoints: the POST route for creating favorites (line 19), the DELETE route for removing them (line 44), and the POST `/status` route for querying them (lines 70-71). This design flaw effectively removes the authorization check, letting a logged-in user specify any other user's ID to act on their behalf.

The impact is a complete compromise of data integrity and privacy for the 'favorites' feature. An attacker can arbitrarily manipulate another user's saved items—adding, removing, or enumerating them—without their knowledge or consent. This vulnerability, categorized as OWASP API Security Top 10 #1, represents a severe failure in access control logic. The fix requires a simple but critical code change: replacing `req.body.userId` with the server-verified `req.userId` across all three vulnerable handlers to properly enforce user isolation.