diff --git a/server/routes/profile.js b/server/routes/profile.js
index dd22bc4d..7c95a951 100644
--- a/server/routes/profile.js
+++ b/server/routes/profile.js
@@ -62,11 +62,9 @@ router.post('/profile/save/:locale', async (req, res) => {
         return res.status(401).json({error: 'Unauthorised'});
     }
 
-    const userId = (await req.db.get(SQL`SELECT id FROM users WHERE username = ${req.user.username}`)).id;
-
-    await req.db.get(SQL`DELETE FROM profiles WHERE userId = ${userId} AND locale = ${req.params.locale}`);
+    await req.db.get(SQL`DELETE FROM profiles WHERE userId = ${req.user.id} AND locale = ${req.params.locale}`);
     await req.db.get(SQL`INSERT INTO profiles (id, userId, locale, names, pronouns, description, birthday, links, flags, words, active)
-        VALUES (${ulid()}, ${userId}, ${req.params.locale}, ${JSON.stringify(req.body.names)}, ${JSON.stringify(req.body.pronouns)},
+        VALUES (${ulid()}, ${req.user.id}, ${req.params.locale}, ${JSON.stringify(req.body.names)}, ${JSON.stringify(req.body.pronouns)},
                 ${req.body.description}, ${req.body.birthday || null}, ${JSON.stringify(req.body.links.filter(x => !!x))}, ${JSON.stringify(req.body.flags)},
                 ${JSON.stringify(req.body.words)}, 1
     )`);
@@ -75,9 +73,7 @@ router.post('/profile/save/:locale', async (req, res) => {
 });
 
 router.post('/profile/delete/:locale', async (req, res) => {
-    const userId = (await req.db.get(SQL`SELECT id FROM users WHERE username = ${req.user.username}`)).id;
-
-    await req.db.get(SQL`DELETE FROM profiles WHERE userId = ${userId} AND locale = ${req.params.locale}`);
+    await req.db.get(SQL`DELETE FROM profiles WHERE userId = ${req.user.id} AND locale = ${req.params.locale}`);
 
     return res.json(await fetchProfiles(req.db, req.user.username, true));
 });
diff --git a/server/routes/user.js b/server/routes/user.js
index e27dfcdf..d1e8d4c2 100644
--- a/server/routes/user.js
+++ b/server/routes/user.js
@@ -96,8 +96,41 @@ const validateEmail = (email) => {
     return re.test(String(email).toLowerCase());
 }
 
+const reloadUser = async (req, res, next) => {
+    if (!req.user) {
+        next();
+        return;
+    }
+
+    const dbUser = await req.db.get(SQL`SELECT * FROM users WHERE id = ${req.user.id}`);
+
+    if (!dbUser) {
+        res.clearCookie('token');
+        next();
+        return;
+    }
+
+    if (req.user.username !== dbUser.username
+        || req.user.email !== dbUser.email
+        || req.user.roles !== dbUser.roles
+        || req.user.avatarSource !== dbUser.avatarSource
+    ) {
+        const newUser = {
+            ...dbUser,
+            authenticated: true,
+            avatar: await avatar(req.db, dbUser),
+        };
+        const token = jwt.sign(newUser);
+        res.cookie('token', token);
+        req.user = {...req.user, ...newUser};
+    }
+    next();
+}
+
 const router = Router();
 
+router.use(reloadUser);
+
 router.post('/user/init', async (req, res) => {
     let user = undefined;
     let usernameOrEmail = req.body.usernameOrEmail;
@@ -174,7 +207,7 @@ router.post('/user/change-username', async (req, res) => {
         return res.json({ error: 'user.account.changeUsername.taken' })
     }
 
-    await req.db.get(SQL`UPDATE users SET username = ${req.body.username} WHERE email = ${normalise(req.user.email)}`);
+    await req.db.get(SQL`UPDATE users SET username = ${req.body.username} WHERE id = ${req.user.id}`);
 
     return res.json({token: await issueAuthentication(req.db, req.user)});
 });
@@ -222,7 +255,7 @@ router.post('/user/change-email', async (req, res) => {
 
     await invalidateAuthenticator(req.db, authenticator);
 
-    await req.db.get(SQL`UPDATE users SET email = ${authenticator.payload.to} WHERE email = ${normalise(req.user.email)}`);
+    await req.db.get(SQL`UPDATE users SET email = ${authenticator.payload.to} WHERE id = ${req.user.id}`);
     req.user.email = authenticator.payload.to;
 
     return res.json({token: await issueAuthentication(req.db, req.user)});
@@ -233,14 +266,9 @@ router.post('/user/delete', async (req, res) => {
         return res.status(401).json({error: 'Unauthorised'});
     }
 
-    const userId = (await req.db.get(SQL`SELECT id FROM users WHERE username = ${req.user.username}`)).id;
-    if (!userId) {
-        return res.json(false);
-    }
-
-    await req.db.get(SQL`DELETE FROM profiles WHERE userId = ${userId}`)
-    await req.db.get(SQL`DELETE FROM authenticators WHERE userId = ${userId}`)
-    await req.db.get(SQL`DELETE FROM users WHERE id = ${userId}`)
+    await req.db.get(SQL`DELETE FROM profiles WHERE userId = ${req.user.id}`)
+    await req.db.get(SQL`DELETE FROM authenticators WHERE userId = ${req.user.id}`)
+    await req.db.get(SQL`DELETE FROM users WHERE id = ${req.user.id}`)
 
     return res.json(true);
 });