diff --git a/lib/db/mysql.js b/lib/db/mysql.js
index 6a7b6f94700d94086262e329dc4821507bcc0fbf..c8b857dd1c1b8e9856c7cc337caadc0791635d77 100644
--- a/lib/db/mysql.js
+++ b/lib/db/mysql.js
@@ -337,8 +337,9 @@ exports.gotVerificationSecret = function(secret, cb) {
       if (err) {
         logUnexpectedError(err);
         cb(err);
-      } else if (rows.length === 0) cb("unknown secret");
-      else {
+      } else if (rows.length === 0) {
+        cb("unknown secret");
+      } else {
         var o = rows[0];
 
         // delete the record
diff --git a/lib/wsapi/complete_user_creation.js b/lib/wsapi/complete_user_creation.js
index 9be9daae5b923a0ac028176ff3d6988c052c76dd..5b87c3ec9af756562a37076fb88a2e9f09713f99 100644
--- a/lib/wsapi/complete_user_creation.js
+++ b/lib/wsapi/complete_user_creation.js
@@ -41,7 +41,7 @@ exports.process = function(req, res) {
   // is this the same browser?
   if (typeof req.session.pendingCreation === 'string' &&
       req.body.token === req.session.pendingCreation) {
-    postAuthentication();
+    return postAuthentication();
   }
   // is a password provided?
   else if (typeof req.body.pass === 'string') {
@@ -65,7 +65,7 @@ exports.process = function(req, res) {
         } else if (!success) {
           return httputils.authRequired(res, "password mismatch");
         } else {
-          postAuthentication();
+          return postAuthentication();
         }
       });
     });
@@ -92,7 +92,7 @@ exports.process = function(req, res) {
       db.authForVerificationSecret(req.body.token, function(err, hash) {
         if (err == 'no password for user' || !hash) {
           if (!req.body.pass) return httputils.authRequired(res, "password required");
-          var err = wsapi.checkPassword(req.body.pass);
+          err = wsapi.checkPassword(req.body.pass);
           if (err) {
             logger.warn("invalid password received: " + err);
             return httputils.badRequest(res, err);