diff --git a/server/server.js b/server/server.js
index bdf85d0..2d26df9 100644
--- a/server/server.js
+++ b/server/server.js
@@ -620,7 +620,10 @@ app.post('/api/auth/login', async (req, res) => {
 
   try {
     const users = await nocodb.list('Users', { where: `(email,eq,${sanitizeWhereValue(email)})`, limit: 1 });
-    const user = users[0];
+    if (users.length === 0) return res.status(401).json({ error: 'Invalid email or password' });
+
+    // nocodb.list() may not return all fields — fetch full record
+    const user = await nocodb.get('Users', users[0].Id);
     if (!user || !user.password_hash) return res.status(401).json({ error: 'Invalid email or password' });
 
     const valid = await bcrypt.compare(password, user.password_hash);
@@ -709,7 +712,8 @@ app.post('/api/auth/reset-password', async (req, res) => {
     const users = await nocodb.list('Users', { where: `(reset_token,eq,${tokenHash})`, limit: 1 });
     if (users.length === 0) return res.status(400).json({ error: 'Invalid or expired reset token' });
 
-    const user = users[0];
+    // nocodb.list() may not return all fields — fetch full record
+    const user = await nocodb.get('Users', users[0].Id);
     if (!user.reset_token_expires || new Date(user.reset_token_expires) < new Date()) {
       return res.status(400).json({ error: 'Invalid or expired reset token' });
     }