diff --git a/owasp-top10-2021-apps/a1/ecommerce-api/app/handlers/auth.go b/owasp-top10-2021-apps/a1/ecommerce-api/app/handlers/auth.go
new file mode 100644
index 000000000..6a4ffef11
--- /dev/null
+++ b/owasp-top10-2021-apps/a1/ecommerce-api/app/handlers/auth.go
@@ -0,0 +1,26 @@
+package handlers
+
+import (
+	"github.com/labstack/echo"
+	"net/http"
+)
+
+// ValidateUserAccess checks if the authenticated user has access to the requested resource
+func ValidateUserAccess(c echo.Context, requestedID string) error {
+	authenticatedUserID := c.Get("user")
+	if authenticatedUserID == nil {
+		return echo.NewHTTPError(http.StatusUnauthorized, map[string]string{
+			"result": "error", 
+			"details": "Authentication required",
+		})
+	}
+
+	if authenticatedUserID.(string) != requestedID {
+		return echo.NewHTTPError(http.StatusForbidden, map[string]string{
+			"result": "error",
+			"details": "Access denied",
+		})
+	}
+
+	return nil
+}
diff --git a/owasp-top10-2021-apps/a1/ecommerce-api/app/handlers/handlers.go b/owasp-top10-2021-apps/a1/ecommerce-api/app/handlers/handlers.go
index ea71f28d2..ead3a8bd5 100644
--- a/owasp-top10-2021-apps/a1/ecommerce-api/app/handlers/handlers.go
+++ b/owasp-top10-2021-apps/a1/ecommerce-api/app/handlers/handlers.go
@@ -13,13 +13,17 @@ func HealthCheck(c echo.Context) error {
 	return c.String(http.StatusOK, "WORKING\n")
 }
 
-// GetTicket returns the userID ticket.
+// GetTicket returns the authenticated user's ticket.
 func GetTicket(c echo.Context) error {
-	id := c.Param("id")
-	userDataQuery := map[string]interface{}{"userID": id}
+	requestedID := c.Param("id")
+	
+	if err := ValidateUserAccess(c, requestedID); err != nil {
+		return err
+	}
+
+	userDataQuery := map[string]interface{}{"userID": requestedID}
 	userDataResult, err := db.GetUserData(userDataQuery)
 	if err != nil {
-		// could not find this user in MongoDB (or MongoDB err connection)
 		return c.JSON(http.StatusBadRequest, map[string]string{"result": "error", "details": "Error finding this UserID."})
 	}