diff --git a/src/login.ts b/src/login.ts
index e662231..79dfc48 100644
--- a/src/login.ts
+++ b/src/login.ts
@@ -93,7 +93,7 @@ export const createLoginMiddleware = (userController: UserAccessor) =>
     const secretKey = setting.jwt_secretkey;
     const body = ctx.request.body;
     //check format
-    if (!("username" in body) || !("password" in body)) {
+    if (typeof body == "string" || !("username" in body) || !("password" in body)) {
       return sendError(
         400,
         "invalid form : username or password is not found in query.",
@@ -249,6 +249,9 @@ export const resetPasswordMiddleware = (cntr: UserAccessor) =>
     const username = body['username'];
     const oldpw = body['oldpassword'];
     const newpw = body['newpassword'];
+    if(typeof username !== "string" || typeof oldpw !== "string" || typeof newpw !== "string"){
+      return sendError(400,"request body is invalid format");
+    }
     const user = await cntr.findUser(username);
     if(user === undefined){
       return sendError(403,"not authorized");