diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index b3dcd5e2..e80d27ed 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,5 +1,8 @@
 image: "rust:latest"
 
+default:
+    tags: [docker]
+
 cache:
   paths:
     - target
diff --git a/src/client_server/membership.rs b/src/client_server/membership.rs
index 75d7258c..206ea9d6 100644
--- a/src/client_server/membership.rs
+++ b/src/client_server/membership.rs
@@ -839,7 +839,7 @@ pub async fn invite_helper(
 
         if !auth_check {
             return Err(Error::BadRequest(
-                ErrorKind::InvalidParam,
+                ErrorKind::Forbidden,
                 "Event is not authorized.",
             ));
         }
diff --git a/src/ruma_wrapper.rs b/src/ruma_wrapper.rs
index d0f7303a..f2b9b9f0 100644
--- a/src/ruma_wrapper.rs
+++ b/src/ruma_wrapper.rs
@@ -59,7 +59,7 @@ where
         let token = request
             .headers()
             .get_one("Authorization")
-            .map(|s| s[7..].to_owned()) // Split off "Bearer "
+            .and_then(|s| s.get(7..)) // Split off "Bearer "
             .or_else(|| request.query_value("access_token").and_then(|r| r.ok()));
 
         let limit = db.globals.max_request_size();
@@ -134,16 +134,20 @@ where
                 }
                 AuthScheme::ServerSignatures => {
                     // Get origin from header
-                    let x_matrix = match request.headers().get_one("Authorization").map(|s| {
+                    let x_matrix = match request
+                        .headers()
+                        .get_one("Authorization")
+                        .and_then(|s|
                         // Split off "X-Matrix " and parse the rest
-                        s[9..]
-                            .split_terminator(',')
-                            .map(|field| {
-                                let mut splits = field.splitn(2, '=');
-                                (splits.next(), splits.next().map(|s| s.trim_matches('"')))
-                            })
-                            .collect::<BTreeMap<_, _>>()
-                    }) {
+                        s.get(9..))
+                        .map(|s| {
+                            s.split_terminator(',')
+                                .map(|field| {
+                                    let mut splits = field.splitn(2, '=');
+                                    (splits.next(), splits.next().map(|s| s.trim_matches('"')))
+                                })
+                                .collect::<BTreeMap<_, _>>()
+                        }) {
                         Some(t) => t,
                         None => {
                             warn!("No Authorization header");