Why this matters
The bug. Two issues collide. (1) == on Java strings compares object identity, not content. (2) If tokenService.lookup returns null for a malformed token *and* resourceOwner is also null (e.g., resource-not-found path), null == null is true — and unauthenticated traffic gets admin powers.
The fix. Always use .equals() for string content and null-guard. Objects.equals handles both nulls cleanly.
Code-review heuristic. Any == next to a String type, in security-adjacent code, is a stop-the-PR comment.
Review heuristic
Every endpoint that accepts an id parameter needs a sentence in the diff or the spec answering: who is allowed to access objects with this id? If the answer is "any authenticated user," that's an IDOR. If the answer is "the owner," verify the query enforces it at the database layer.
External reference: CWE-639: Authorization Bypass Through User-Controlled Key.
↳ Real-world auth bypass class; CWE-595.