diff --git a/auth.go b/auth.go
index 4b17464c..08a2d1ed 100644
--- a/auth.go
+++ b/auth.go
@@ -48,7 +48,7 @@ func (ea *EnsureAuth) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 
 	content_type := NegotiateContent(accept, offers)
 	user, err := getAuthenticatedUser(r)
-	if err != nil {
+	if err != nil || user == nil {
 		var msg []byte
 		// Separate return codes for different authentication failures
 		if _, ok := err.(*NoCredentialsError); ok {
diff --git a/endpoint.go b/endpoint.go
index 4b8e0cca..65aed704 100644
--- a/endpoint.go
+++ b/endpoint.go
@@ -61,6 +61,7 @@ func getOAuthRefresh(w http.ResponseWriter, r *http.Request) {
 	user, err := getAuthenticatedUser(r)
 	if err != nil {
 		http.Redirect(w, r, "/?next=/oauth/refresh", http.StatusFound)
+		return
 	}
 	htmlOauthPrompt(w, user)
 }