diff --git a/api/src/middlewares/authorize.ts b/api/src/middlewares/authorize.ts
index dc336d4..124b332 100644
--- a/api/src/middlewares/authorize.ts
+++ b/api/src/middlewares/authorize.ts
@@ -5,7 +5,7 @@ import { PermissionSetting } from '../controllers/permission'
 
 export const authorize: RequestHandler = async (req, res, next) => {
   let permission
-  const user = req.user
+  const user = req.user || req.session.user
   if (user) {
     // no need to check for permissions when user is admin
     if (user.isAdmin) return next()
@@ -13,7 +13,7 @@ export const authorize: RequestHandler = async (req, res, next) => {
     const dbUser = await User.findOne({ id: user.userId })
     if (!dbUser) return res.sendStatus(401)
 
-    const uri = req.baseUrl + req.route.path
+    const uri = req.baseUrl + req.path
 
     // find permission w.r.t user
     permission = await Permission.findOne({ uri, user: dbUser._id })
diff --git a/api/src/routes/appStream/index.ts b/api/src/routes/appStream/index.ts
index 3954039..1152644 100644
--- a/api/src/routes/appStream/index.ts
+++ b/api/src/routes/appStream/index.ts
@@ -1,5 +1,6 @@
 import path from 'path'
 import express, { Request } from 'express'
+import { authorize } from '../../middlewares/authorize'
 import { folderExists } from '@sasjs/utils'
 
 import { addEntryToAppStreamConfig, getFilesFolder } from '../../utils'
@@ -9,7 +10,7 @@ const appStreams: { [key: string]: string } = {}
 
 const router = express.Router()
 
-router.get('/', async (req, res) => {
+router.get('/', authorize, async (req, res) => {
   const content = appStreamHtml(process.appStreamConfig)
 
   res.cookie('XSRF-TOKEN', req.csrfToken())
@@ -66,7 +67,7 @@ export const publishAppStream = async (
   return {}
 }
 
-router.get(`/*`, function (req: Request, res, next) {
+router.get(`/*`, authorize, function (req: Request, res, next) {
   const reqPath = req.path.replace(/^\//, '')
 
   // Redirecting to url with trailing slash for appStream base URL only