diff --git a/lib/server/controllers/auth.ts b/lib/server/controllers/auth.ts
index 9048e6d..836285a 100644
--- a/lib/server/controllers/auth.ts
+++ b/lib/server/controllers/auth.ts
@@ -45,6 +45,9 @@ router.post(process.env.RESET_ROUTE || RESET_ROUTE, async (ctx, next) => {
 });
 
 router.patch('/:record', authenticated(), (ctx: Koa.Context) => {
+    if (ctx.user !== ctx.param.record) {
+        ctx.throw(StatusCodes.UNAUTHORIZED);
+    }
     const data = Auth.findOneAndUpdate({ record: ctx.params.record });
     if (!data) {
         ctx.throw(StatusCodes.NOT_FOUND);