Don't allow authorizing access tokens without a user

Author: rmccue

lib/class-wp-json-authentication-oauth1.php

@@ -372,6 +372,10 @@ public function authorize_request_token( $key, $user = null ) {
 			$user = $user->ID;
 		}
 
+		if ( empty( $user ) ) {
+			return new WP_Error( 'json_oauth1_invalid_user', __( 'Invalid user specified for access token' ) );
+		}
+
 		$token['authorized'] = true;
 		$token['verifier'] = wp_generate_password( self::VERIFIER_LENGTH, false );
 		$token['user'] = $user;