diff --git a/src/models/actions/CreateAuth.ts b/src/models/actions/CreateAuth.ts
index d36c17f..b31bee6 100644
--- a/src/models/actions/CreateAuth.ts
+++ b/src/models/actions/CreateAuth.ts
@@ -35,6 +35,7 @@ export class CreateAuth {
             const found_user = found_users[0]
             if (await argon2.verify(found_user.password, this.password + found_user.uuid)) {
                 const timestamp_accesstoken_expiry = Math.floor(Date.now() / 1000) + 5 * 60
+                found_user.permissions = found_user.permissions || []
                 delete found_user.password;
                 newAuth.access_token = jsonwebtoken.sign({
                     userdetails: found_user,
diff --git a/src/models/actions/RefreshAuth.ts b/src/models/actions/RefreshAuth.ts
index 77a2728..dacca59 100644
--- a/src/models/actions/RefreshAuth.ts
+++ b/src/models/actions/RefreshAuth.ts
@@ -28,6 +28,7 @@ export class RefreshAuth {
         if (found_user.refreshTokenCount !== decoded["refreshtokencount"]) {
             throw new RefreshTokenCountInvalidError()
         }
+        found_user.permissions = found_user.permissions || []
         delete found_user.password;
         const timestamp_accesstoken_expiry = Math.floor(Date.now() / 1000) + 5 * 60
         delete found_user.password;