diff --git a/src/api/users.js b/src/api/users.js
index df816961e5e8..a2c6cf50e03b 100644
--- a/src/api/users.js
+++ b/src/api/users.js
@@ -20,6 +20,12 @@ usersAPI.create = async function (caller, data) {
 };
 
 usersAPI.update = async function (caller, data) {
+	if (!data || !data.uid) {
+		throw new Error('[[error:invalid-data]]');
+	}
+	if (!caller.uid) {
+		throw new Error('[[error:invalid-uid]]');
+	}
 	const oldUserData = await user.getUserFields(data.uid, ['email', 'username']);
 	if (!oldUserData || !oldUserData.username) {
 		throw new Error('[[error:invalid-data]]');
@@ -66,6 +72,7 @@ usersAPI.update = async function (caller, data) {
 	if (userData.username !== oldUserData.username) {
 		await log('username-change', { oldUsername: oldUserData.username, newUsername: userData.username });
 	}
+	return userData;
 };
 
 usersAPI.delete = async function (caller, data) {
diff --git a/test/user.js b/test/user.js
index 060137e3d430..6ee26739064a 100644
--- a/test/user.js
+++ b/test/user.js
@@ -755,7 +755,7 @@ describe('User', function () {
 
 	describe('not logged in', function () {
 		it('should return error if not logged in', function (done) {
-			socketUser.updateProfile({ uid: 0 }, {}, function (err) {
+			socketUser.updateProfile({ uid: 0 }, { uid: 1 }, function (err) {
 				assert.equal(err.message, '[[error:invalid-uid]]');
 				done();
 			});
@@ -806,7 +806,7 @@ describe('User', function () {
 					birthday: '01/01/1980',
 					signature: 'nodebb is good',
 				};
-				socketUser.updateProfile({ uid: uid }, data, function (err, result) {
+				socketUser.updateProfile({ uid: uid }, { ...data, password: '123456' }, function (err, result) {
 					assert.ifError(err);
 
 					assert.equal(result.username, 'updatedUserName');