diff --git a/server/api/BaseApi.ts b/server/api/BaseApi.ts
index 437b7e7..06237de 100644
--- a/server/api/BaseApi.ts
+++ b/server/api/BaseApi.ts
@@ -25,7 +25,7 @@ export default abstract class BaseApi {
     }
     checkToken(token: Token, deviceId: string) {
         if (token.expired_time < Date.now()) return false
-        if (!User.findById(token.author)) return false
+        if (!token.author || !User.findById(token.author)) return false
         if (deviceId != null)
             if (token.device_id != deviceId)
                 return false
diff --git a/server/api/FileTokenManager.ts b/server/api/FileTokenManager.ts
index 5f53877..a781617 100644
--- a/server/api/FileTokenManager.ts
+++ b/server/api/FileTokenManager.ts
@@ -22,9 +22,13 @@ export default class FileTokenManager {
     }
     static decode(token: string) {
         if (token == null) throw new Error('令牌為空!')
-        return JSON.parse(crypto.createDecipheriv("aes-256-gcm", normalizeKey(config.aes_key + '_file'), '01234567890123456').update(
-            Buffer.from(token, 'hex')
-        ).toString()) as Token
+        try {
+            return JSON.parse(crypto.createDecipheriv("aes-256-gcm", normalizeKey(config.aes_key + '_file'), '01234567890123456').update(
+                Buffer.from(token, 'hex')
+            ).toString()) as Token
+        } catch(e) {
+            throw new Error('令牌無效!')
+        }
     }
 
     /**
diff --git a/server/api/TokenManager.ts b/server/api/TokenManager.ts
index 0eb2d13..e80da3e 100644
--- a/server/api/TokenManager.ts
+++ b/server/api/TokenManager.ts
@@ -23,9 +23,13 @@ export default class TokenManager {
     }
     static decode(token: string) {
         if (token == null) throw new Error('令牌為空!')
-        return JSON.parse(crypto.createDecipheriv("aes-256-gcm", normalizeKey(config.aes_key), '01234567890123456').update(
-            Buffer.from(token, 'hex')
-        ).toString()) as Token
+        try {
+            return JSON.parse(crypto.createDecipheriv("aes-256-gcm", normalizeKey(config.aes_key), '01234567890123456').update(
+                Buffer.from(token, 'hex')
+            ).toString()) as Token
+        } catch(e) {
+            return {} as Token
+        }
     }
 
     static make(user: User, time_: number | null | undefined, device_id: string) {
diff --git a/server/api/UserApi.ts b/server/api/UserApi.ts
index b3b344e..4cad6fb 100644
--- a/server/api/UserApi.ts
+++ b/server/api/UserApi.ts
@@ -26,7 +26,7 @@ export default class UserApi extends BaseApi {
                     msg: "登錄令牌失效",
                     code: 401,
                 }
-                if (!User.findById(access_token.author)) return {
+                if (!access_token.author || !User.findById(access_token.author)) return {
                     msg: "賬號不存在",
                     code: 401,
                 }