diff --git a/app/api/account/avatar/route.ts b/app/api/account/avatar/route.ts
index 9b647fe7..e0a625f5 100644
--- a/app/api/account/avatar/route.ts
+++ b/app/api/account/avatar/route.ts
@@ -30,7 +30,7 @@ export async function POST(req: Request) {
 
         const r1 = await fetch(`${API}/files`, {
             method: "POST",
-            headers: { Authorization: bearer },
+            headers: { Authorization: `Bearer ${bearer}` },
             body: up,
         });
         const j1 = await r1.json().catch(() => ({}));
@@ -43,7 +43,7 @@ export async function POST(req: Request) {
         // Link file to the current user
         const r2 = await fetch(`${API}/users/me`, {
             method: "PATCH",
-            headers: { Authorization: bearer, "Content-Type": "application/json" },
+            headers: { Authorization: `Bearer ${bearer}`, "Content-Type": "application/json" },
             body: JSON.stringify({ avatar: fileId }),
         });
         const j2 = await r2.json().catch(() => ({}));
diff --git a/app/api/account/password/route.ts b/app/api/account/password/route.ts
index 5f515bdf..bbffcdcd 100644
--- a/app/api/account/password/route.ts
+++ b/app/api/account/password/route.ts
@@ -11,10 +11,8 @@ async function handle(req: Request) {
     const bearer = requireBearer(req);
 
     const body = await req.json().catch(() => ({}));
-    const current =
-    String(body?.current ?? body?.current_password ?? "").trim();
-    const next =
-    String(body?.next ?? body?.new_password ?? "").trim();
+    const current = String(body?.current ?? body?.current_password ?? "").trim();
+    const next = String(body?.next ?? body?.new_password ?? "").trim();
 
     if (!current || !next) return bad("Missing current and/or new password");
     if (next.length < 8) return bad("Password must be at least 8 characters");
@@ -22,7 +20,7 @@ async function handle(req: Request) {
     const res = await fetch(`${API}/users/me`, {
         method: "PATCH",
         headers: {
-            Authorization: bearer,
+            Authorization: `Bearer ${bearer}`,
             "Content-Type": "application/json",
         },
         body: JSON.stringify({ password: next, old_password: current }),
diff --git a/app/api/account/profile/route.ts b/app/api/account/profile/route.ts
index 8dfac024..8db06895 100644
--- a/app/api/account/profile/route.ts
+++ b/app/api/account/profile/route.ts
@@ -5,7 +5,7 @@ import { NextResponse } from "next/server";
 import { requireBearer } from "@/app/api/_lib/auth";
 
 const API = (process.env.NEXT_PUBLIC_API_BASE_URL || "").replace(/\/$/, "");
-const bad = (m: string, c=400) => NextResponse.json({ error: m }, { status: c });
+const bad = (m: string, c = 400) => NextResponse.json({ error: m }, { status: c });
 
 export async function GET() {
     // show username (read-only) + editable fields
@@ -21,21 +21,38 @@ export async function GET() {
 export async function PATCH(req: Request) {
     try {
         const bearer = requireBearer(req);
-        const body = await req.json().catch(() => ({}));
+        const body = await req.json().catch(() => ({} as Record<string, unknown>));
+
+        // Enforce recent re-auth for sensitive fields
+        const SENSITIVE = new Set(["email", "username"]);
+        const wantsSensitive = Object.keys(body).some((k) => SENSITIVE.has(k));
+        if (wantsSensitive) {
+            const cookie = req.headers.get("cookie") || "";
+            const hasRecentAuth = /(?:^|;\s*)ma_ra=1(?:;|$)/.test(cookie);
+            if (!hasRecentAuth) {
+                return NextResponse.json(
+                    { error: "Re-authentication required" },
+                    { status: 428 } // Precondition Required
+                );
+            }
+        }
 
         const payload: any = {};
-        if (typeof body.first_name === "string") payload.first_name = body.first_name.trim();
-        if (typeof body.last_name === "string")  payload.last_name  = body.last_name.trim();
-        if (typeof body.location === "string")   payload.location   = body.location.trim();
+        if (typeof (body as any).first_name === "string")
+            payload.first_name = (body as any).first_name.trim();
+        if (typeof (body as any).last_name === "string")
+            payload.last_name = (body as any).last_name.trim();
+        if (typeof (body as any).location === "string")
+            payload.location = (body as any).location.trim();
         if ("email" in body) {
-            const e = String(body.email ?? "").trim();
+            const e = String((body as any).email ?? "").trim();
             payload.email = e ? e : null; // ← optional! blank clears it
         }
         // (password handled by /api/account/password)
 
         const r = await fetch(`${API}/users/me`, {
             method: "PATCH",
-            headers: { Authorization: bearer, "Content-Type": "application/json" },
+            headers: { Authorization: `Bearer ${bearer}`, "Content-Type": "application/json" },
             body: JSON.stringify(payload),
         });
         const j = await r.json().catch(() => ({}));
diff --git a/app/api/account/route.ts b/app/api/account/route.ts
index 48cf4833..5b524f3c 100644
--- a/app/api/account/route.ts
+++ b/app/api/account/route.ts
@@ -16,7 +16,7 @@ export async function GET(req: Request) {
 
 const res = await fetch(
     `${API}/users/me?fields=${encodeURIComponent(fields)}`,
-                        { headers: { Authorization: bearer }, cache: "no-store" }
+                        { headers: { Authorization: `Bearer ${bearer}` }, cache: "no-store" }
 );
 const j = await res.json().catch(() => ({}));
 
@@ -40,19 +40,19 @@ export async function PATCH(req: Request) {
 
         const payload: Record<string, any> = {};
         if (typeof body.first_name === "string") payload.first_name = body.first_name.trim();
-        if (typeof body.last_name === "string")  payload.last_name  = body.last_name.trim();
+        if (typeof body.last_name === "string") payload.last_name = body.last_name.trim();
         if ("email" in body) {
             const e = String(body.email ?? "").trim();
             payload.email = e ? e : null; // optional; blank clears
         }
-        if (typeof body.location === "string")   payload.location   = body.location.trim();
-        if (typeof body.avatar === "string")     payload.avatar     = body.avatar; // file id
+        if (typeof body.location === "string") payload.location = body.location.trim();
+        if (typeof body.avatar === "string") payload.avatar = body.avatar; // file id
 
         if (!Object.keys(payload).length) return bad("No changes");
 
         const res = await fetch(`${API}/users/me`, {
             method: "PATCH",
-            headers: { Authorization: bearer, "Content-Type": "application/json" },
+            headers: { Authorization: `Bearer ${bearer}`, "Content-Type": "application/json" },
             body: JSON.stringify(payload),
         });
         const j = await res.json().catch(() => ({}));
diff --git a/app/auth/sign-in/page.tsx b/app/auth/sign-in/page.tsx
index 2a49065e..88a68b22 100644
--- a/app/auth/sign-in/page.tsx
+++ b/app/auth/sign-in/page.tsx
@@ -6,10 +6,8 @@ import SignIn from "./sign-in";
 export default async function SignInPage(
     props: { searchParams: Promise<Record<string, string | string[] | undefined>> }
 ) {
-    const at = (await cookies()).get("ma_at")?.value;
-    if (at) redirect("/portal");
-
     const sp = await props.searchParams;
+
     const nextParam = Array.isArray(sp.next) ? sp.next[0] : sp.next;
     const nextPath = nextParam && nextParam.startsWith("/") ? nextParam : "/portal";
 
@@ -17,5 +15,11 @@ export default async function SignInPage(
     const forceParam  = Array.isArray(sp.force)  ? sp.force[0]  : sp.force;
     const reauth = reauthParam === "1" || forceParam === "1";
 
+    // If reauth is requested, always render the form (no redirect).
+    if (!reauth) {
+        const at = (await cookies()).get("ma_at")?.value;
+        if (at) redirect("/portal");
+    }
+
     return <SignIn nextPath={nextPath} reauth={reauth} />;
 }