fix: add req.user guard and try/catch to requireCampaignRole middleware

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-11 00:22:48 -04:00 · 2026-04-11 00:22:48 -04:00 · 80f0b3535b
commit 80f0b3535b
parent bd433286ae
1 changed files with 21 additions and 13 deletions
--- a/server/src/auth/middleware.ts
+++ b/server/src/auth/middleware.ts
@ -28,20 +28,28 @@ export function requireAuth(req: Request, res: Response, next: NextFunction): vo

 export function requireCampaignRole(role: "dm" | "player") {
  return async (req: Request, res: Response, next: NextFunction): Promise<void> => {
+    if (!req.user) {
+      res.status(401).json({ error: "Unauthorized" });
+      return;
+    }
    const campaignId = req.params.campaignId ?? req.params.id;
-    const userId = req.user!.userId;
-    const [rows] = await db.execute<RowDataPacket[]>(
-      "SELECT role FROM campaign_members WHERE campaign_id = ? AND user_id = ?",
-      [campaignId, userId]
-    );
-    if (rows.length === 0) {
-      res.status(403).json({ error: "Not a campaign member" });
-      return;
+    const userId = req.user.userId;
+    try {
+      const [rows] = await db.execute<RowDataPacket[]>(
+        "SELECT role FROM campaign_members WHERE campaign_id = ? AND user_id = ?",
+        [campaignId, userId]
+      );
+      if (rows.length === 0) {
+        res.status(403).json({ error: "Not a campaign member" });
+        return;
+      }
+      if (role === "dm" && rows[0].role !== "dm") {
+        res.status(403).json({ error: "DM access required" });
+        return;
+      }
+      next();
+    } catch (err) {
+      next(err);
    }
-    if (role === "dm" && rows[0].role !== "dm") {
-      res.status(403).json({ error: "DM access required" });
-      return;
-    }
-    next();
  };
 }