Add authorization to all routes

src/routes/accesscontrol.js

@@ -94,6 +94,7 @@ function authorize(requiredRole) {
 
     return function (req, res, next) {
         assert.strictEqual(typeof req.user, 'object');
+        assert.strictEqual(typeof req.token, 'object');
 
         if (users.compareRoles(req.user.role, requiredRole) < 0) return next(new HttpError(403, `role '${requiredRole}' is required but user has only '${req.user.role}'`));
         if (!tokens.hasScope(req.token, req.method, req.path)) return next(new HttpError(403, 'access token does not have this scope'));
@@ -106,6 +107,7 @@ async function authorizeOperator(req, res, next) {
     assert.strictEqual(typeof req.params.id, 'string');
     assert.strictEqual(typeof req.user, 'object');
     assert.strictEqual(typeof req.app, 'object');
+    assert.strictEqual(typeof req.token, 'object');
 
     if (!tokens.hasScope(req.token, req.method, req.path)) return next(new HttpError(403, 'access token does not have this scope'));
     if (apps.isOperator(req.app, req.user)) return next();