diff --git a/controllers/authController.js b/controllers/authController.js
index ed3eeef..1937c2d 100644
--- a/controllers/authController.js
+++ b/controllers/authController.js
@@ -162,6 +162,13 @@ self.register = async (req, res) => {
     throw new ClientError(`Username must have ${self.user.min}-${self.user.max} characters.`)
   }
 
+  // Please be advised that root user is hard-coded to always have superadmin permission
+  // However, you may choose to delete the root user via direct database query,
+  // so it is also hard-coded to always prevent it from being re-created via the API
+  if (username === 'root') {
+    throw new ClientError('Username is reserved.')
+  }
+
   const password = typeof req.body.password === 'string'
     ? req.body.password.trim()
     : ''
@@ -245,6 +252,10 @@ self.createUser = async (req, res) => {
     throw new ClientError(`Username must have ${self.user.min}-${self.user.max} characters.`)
   }
 
+  if (username === 'root') {
+    throw new ClientError('Username is reserved.')
+  }
+
   let password = typeof req.body.password === 'string'
     ? req.body.password.trim()
     : ''
@@ -270,7 +281,9 @@ self.createUser = async (req, res) => {
     .where('username', username)
     .first()
 
-  if (exists) throw new ClientError('Username already exists.')
+  if (exists) {
+    throw new ClientError('Username already exists.')
+  }
 
   const hash = await bcrypt.hash(password, saltRounds)
 
diff --git a/controllers/permissionController.js b/controllers/permissionController.js
index 8d8b101..65cf417 100644
--- a/controllers/permissionController.js
+++ b/controllers/permissionController.js
@@ -15,7 +15,9 @@ self.keys = Object.freeze(Object.keys(self.permissions))
 
 self.group = user => {
   // root bypass
-  if (user.username === 'root') return 'superadmin'
+  if (user.username === 'root') {
+    return 'superadmin'
+  }
   for (const key of self.keys) {
     if (user.permission === self.permissions[key]) {
       return key
@@ -27,8 +29,12 @@ self.group = user => {
 // returns true if user is in the group OR higher
 self.is = (user, group) => {
   // root bypass
-  if (user.username === 'root') return true
-  if (typeof group !== 'string' || !group) return false
+  if (user.username === 'root') {
+    return true
+  }
+  if (typeof group !== 'string' || !group) {
+    return false
+  }
   const permission = user.permission || 0
   return permission >= self.permissions[group]
 }
diff --git a/scripts/migrate.js b/scripts/migrate.js
index 4f1a971..1e827aa 100644
--- a/scripts/migrate.js
+++ b/scripts/migrate.js
@@ -55,7 +55,7 @@ const map = {
     .where('username', 'root')
     .select('permission')
     .first()
-  if (root.permission !== perms.permissions.superadmin) {
+  if (root && root.permission !== perms.permissions.superadmin) {
     await db.table('users')
       .where('username', 'root')
       .first()