How to Prevent IDOR Vulnerabilities in Next.js API Routes

Imagine this situation: A user logs in successfully to your application, but upon loading their dashboard, they see someone else’s data. Why does this happen? The authentication worked, the session is