diff --git a/src/backend/src/services/auth/AntiCSRFService.js b/src/backend/src/services/auth/AntiCSRFService.js
index c9e60bddf..3a8089eb0 100644
--- a/src/backend/src/services/auth/AntiCSRFService.js
+++ b/src/backend/src/services/auth/AntiCSRFService.js
@@ -94,6 +94,11 @@ class AntiCSRFService extends BaseService {
             if ( ! subdomain_check ) {
                 return res.status(404).send('Hey, stop that!');
             }
+            
+            if ( ! req.user ) {
+                res.status(403).send({});
+                return;
+            }
 
             // TODO: session uuid instead of user
             const token = this.create_token(req.user.uuid);