diff --git a/server/database/judge.go b/server/database/judge.go
index 205e313..e6c0b0d 100644
--- a/server/database/judge.go
+++ b/server/database/judge.go
@@ -41,7 +41,11 @@ func FindJudge(db *mongo.Database, ctx context.Context, id primitive.ObjectID) (
 
 // FindJudgeByToken finds a judge by their token.
 // Returns judge as nil if no judge was found.
+// Rejects empty tokens to prevent matching pre-login judges (Token defaults to "" in NewJudge).
 func FindJudgeByToken(db *mongo.Database, token string) (*models.Judge, error) {
+	if token == "" {
+		return nil, nil
+	}
 	var judge models.Judge
 	err := db.Collection("judges").FindOne(context.Background(), gin.H{"token": token}).Decode(&judge)
 	if err == mongo.ErrNoDocuments {
diff --git a/server/router/middleware.go b/server/router/middleware.go
index e1100ce..ad51dc0 100644
--- a/server/router/middleware.go
+++ b/server/router/middleware.go
@@ -27,6 +27,10 @@ func AuthenticateJudge() gin.HandlerFunc {
 
 		// Extract the token
 		token := authHeader[7:]
+		if token == "" {
+			no("Invalid Authorization header, empty token", ctx)
+			return
+		}
 
 		// Make sure the token is valid (check for judge in database)
 		state := GetState(ctx)