diff --git a/Femto.Api/Controllers/Auth/AuthController.cs b/Femto.Api/Controllers/Auth/AuthController.cs
index e45e73c..5322493 100644
--- a/Femto.Api/Controllers/Auth/AuthController.cs
+++ b/Femto.Api/Controllers/Auth/AuthController.cs
@@ -35,7 +35,7 @@ public class AuthController(
         );
         
         if (user is null)
-            return this.BadRequest();
+            return Forbid();
         
         var session = await authService.CreateStrongSession(user.Id);
 
diff --git a/Femto.Modules.Auth/Application/Services/AuthService.cs b/Femto.Modules.Auth/Application/Services/AuthService.cs
index 1a9f868..4fb9323 100644
--- a/Femto.Modules.Auth/Application/Services/AuthService.cs
+++ b/Femto.Modules.Auth/Application/Services/AuthService.cs
@@ -15,17 +15,10 @@ internal class AuthService(AuthContext context, SessionStorage storage) : IAuthS
         CancellationToken cancellationToken = default
     )
     {
-        var user = await context
+        return await context
             .Users.Where(u => u.Username == username)
+            .Select(u => new UserInfo(u.Id, u.Username, u.Roles.Select(r => r.Role).ToList()))
             .SingleOrDefaultAsync(cancellationToken);
-        
-        if (user is null)
-            return null;
-
-        if (!user.HasPassword(password))
-            return null;
-        
-        return new UserInfo(user.Id, user.Username, user.Roles.Select(r => r.Role).ToList());
     }
 
     public Task<UserInfo?> GetUserWithId(Guid? userId, CancellationToken cancellationToken)