diff --git a/src/routes/accesscontrol.js b/src/routes/accesscontrol.js
index 17bc113e4..d25cef0ab 100644
--- a/src/routes/accesscontrol.js
+++ b/src/routes/accesscontrol.js
@@ -27,7 +27,7 @@ async function passwordAuth(req, res, next) {
 
     const verifyFunc = username.indexOf('@') === -1 ? users.verifyWithUsername : users.verifyWithEmail;
 
-    let [error, user] =  await safe(verifyFunc(username, password, users.AP_WEBADMIN, { totpToken, skipTotpCheck: false }));
+    const [error, user] =  await safe(verifyFunc(username, password, users.AP_WEBADMIN, { totpToken, skipTotpCheck: false }));
     if (error && error.reason === BoxError.INVALID_CREDENTIALS) return next(new HttpError(401, error.message));
     if (error && error.reason === BoxError.NOT_FOUND) return next(new HttpError(401, 'Unauthorized'));
     if (error) return next(new HttpError(500, error));