diff --git a/Femto.Api/Controllers/Auth/AuthController.cs b/Femto.Api/Controllers/Auth/AuthController.cs
index 5322493..e45e73c 100644
--- a/Femto.Api/Controllers/Auth/AuthController.cs
+++ b/Femto.Api/Controllers/Auth/AuthController.cs
@@ -35,7 +35,7 @@ public class AuthController(
         );
         
         if (user is null)
-            return Forbid();
+            return this.BadRequest();
         
         var session = await authService.CreateStrongSession(user.Id);
 
diff --git a/Femto.Modules.Auth/Application/Services/AuthService.cs b/Femto.Modules.Auth/Application/Services/AuthService.cs
index 4fb9323..1a9f868 100644
--- a/Femto.Modules.Auth/Application/Services/AuthService.cs
+++ b/Femto.Modules.Auth/Application/Services/AuthService.cs
@@ -15,10 +15,17 @@ internal class AuthService(AuthContext context, SessionStorage storage) : IAuthS
         CancellationToken cancellationToken = default
     )
     {
-        return await context
+        var user = await context
             .Users.Where(u => u.Username == username)
-            .Select(u => new UserInfo(u.Id, u.Username, u.Roles.Select(r => r.Role).ToList()))
             .SingleOrDefaultAsync(cancellationToken);
+        
+        if (user is null)
+            return null;
+
+        if (!user.HasPassword(password))
+            return null;
+        
+        return new UserInfo(user.Id, user.Username, user.Roles.Select(r => r.Role).ToList());
     }
 
     public Task<UserInfo?> GetUserWithId(Guid? userId, CancellationToken cancellationToken)