mod_tokenauth: Return error instead of session for token without role

Such a session triggers errors in module:may or other places since it is
generally expected that a session must have a role.

1 files changed, 3 insertions, 1 deletions

diff --git a/plugins/mod_tokenauth.lua b/plugins/mod_tokenauth.lua
index ccd06155..4f0e6c54 100644
--- a/plugins/mod_tokenauth.lua
+++ b/plugins/mod_tokenauth.lua
@@ -252,12 +252,14 @@ function get_token_session(token, resource)
 	local token_info, err = _get_validated_token_info(token_id, token_user, token_host, token_secret);
 	if not token_info then return nil, err; end
 
+	local role = select_role(token_user, token_host, token_info.role);
+	if not role then return nil, "not-authorized"; end
 	return {
 		username = token_user;
 		host = token_host;
 		resource = token_info.resource or resource or generate_identifier();
 
-		role = select_role(token_user, token_host, token_info.role);
+		role = role;
 	};
 end