diff --git a/server/src/auth/middleware.ts b/server/src/auth/middleware.ts
index 067d7af..7858942 100644
--- a/server/src/auth/middleware.ts
+++ b/server/src/auth/middleware.ts
@@ -28,20 +28,28 @@ export function requireAuth(req: Request, res: Response, next: NextFunction): vo
 
 export function requireCampaignRole(role: "dm" | "player") {
   return async (req: Request, res: Response, next: NextFunction): Promise<void> => {
+    if (!req.user) {
+      res.status(401).json({ error: "Unauthorized" });
+      return;
+    }
     const campaignId = req.params.campaignId ?? req.params.id;
-    const userId = req.user!.userId;
-    const [rows] = await db.execute<RowDataPacket[]>(
-      "SELECT role FROM campaign_members WHERE campaign_id = ? AND user_id = ?",
-      [campaignId, userId]
-    );
-    if (rows.length === 0) {
-      res.status(403).json({ error: "Not a campaign member" });
-      return;
+    const userId = req.user.userId;
+    try {
+      const [rows] = await db.execute<RowDataPacket[]>(
+        "SELECT role FROM campaign_members WHERE campaign_id = ? AND user_id = ?",
+        [campaignId, userId]
+      );
+      if (rows.length === 0) {
+        res.status(403).json({ error: "Not a campaign member" });
+        return;
+      }
+      if (role === "dm" && rows[0].role !== "dm") {
+        res.status(403).json({ error: "DM access required" });
+        return;
+      }
+      next();
+    } catch (err) {
+      next(err);
     }
-    if (role === "dm" && rows[0].role !== "dm") {
-      res.status(403).json({ error: "DM access required" });
-      return;
-    }
-    next();
   };
 }