fix: add req.user guard and try/catch to requireCampaignRole middleware

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

server/src/auth/middleware.ts

@@ -28,8 +28,13 @@ export function requireAuth(req: Request, res: Response, next: NextFunction): vo
 
 export function requireCampaignRole(role: "dm" | "player") {
   return async (req: Request, res: Response, next: NextFunction): Promise<void> => {
+    if (!req.user) {
+      res.status(401).json({ error: "Unauthorized" });
+      return;
+    }
     const campaignId = req.params.campaignId ?? req.params.id;
-    const userId = req.user!.userId;
+    const userId = req.user.userId;
+    try {
       const [rows] = await db.execute<RowDataPacket[]>(
         "SELECT role FROM campaign_members WHERE campaign_id = ? AND user_id = ?",
         [campaignId, userId]
@@ -43,5 +48,8 @@ export function requireCampaignRole(role: "dm" | "player") {
         return;
       }
       next();
+    } catch (err) {
+      next(err);
+    }
   };
 }