diff --git a/src/backend/src/routers/auth/configure-2fa.js b/src/backend/src/routers/auth/configure-2fa.js
index adb8984b7..220a02a96 100644
--- a/src/backend/src/routers/auth/configure-2fa.js
+++ b/src/backend/src/routers/auth/configure-2fa.js
@@ -87,7 +87,7 @@ module.exports = eggspress('/auth/configure-2fa/:action', {
     // this should never be used to verify the user's 2FA code
     // for authentication purposes.
     actions.test = async () => {
-        const user = req.user;
+        const user = await get_user({ id: req.user.id, force: true });
         const svc_otp = x.get('services').get('otp');
         const code = req.body.code;
         const ok = svc_otp.verify(user.username, user.otp_secret, code);