diff --git a/src/routes/users.js b/src/routes/users.js
index e52415164..7754162ef 100644
--- a/src/routes/users.js
+++ b/src/routes/users.js
@@ -209,7 +209,7 @@ async function setGhost(req, res, next) {
     assert.strictEqual(typeof req.resource, 'object');
 
     if (typeof req.body.password !== 'string' || !req.body.password) return next(new HttpError(400, 'password must be non-empty string'));
-    if ('expiresAt' in req.body && typeof req.body.password !== 'number') return next(new HttpError(400, 'expiresAt must be a number'));
+    if ('expiresAt' in req.body && typeof req.body.expiresAt !== 'number') return next(new HttpError(400, 'expiresAt must be a number'));
     if (users.compareRoles(req.user.role, req.resource.role) < 0) return next(new HttpError(403, `role '${req.resource.role}' is required but user has only '${req.user.role}'`));
 
     const [error] = await safe(users.setGhost(req.resource, req.body.password, req.body.expiresAt || 0));