diff --git a/modules/api/api.js b/modules/api/api.js
index 943600b..4e9efad 100644
--- a/modules/api/api.js
+++ b/modules/api/api.js
@@ -21,8 +21,10 @@
 const express = require('express')
 const bodyParser = require('body-parser')
 const busboy = require('connect-busboy')
+const cookieParser = require('cookie-parser')
 const fs = require('fs')
 const app = express()
+
 // const http = require('http')
 // const https = require('https')
 
@@ -57,6 +59,7 @@ function CreateDB () {
 }
 CreateDB()
 
+app.use(cookieParser())
 app.set('view engine', 'ejs')
 app.set('views', [
   './modules/api/views',
@@ -108,6 +111,23 @@ function Load () {
 
 Load()
 
+// -------------------------------------------------------------
+
+app.get('/login', (req, res) => {
+  logger.LogReq(req)
+  // FIXME: redirect to original url
+  // TODO: check if pw is correct
+  res.cookie('pw', req.query.pw).redirect('/')
+  // TODO: create session
+})
+
+app.get('/logout', (req, res) => {
+  logger.LogReq(req)
+  // FIXME: redirect to original url
+  // TODO: destroy session
+  res.clearCookie('pw').redirect('/')
+})
+
 // --------------------------------------------------------------
 
 app.get('/', function (req, res) {
diff --git a/modules/api/apiDBStruct.json b/modules/api/apiDBStruct.json
index 85b646d..0e2ae15 100644
--- a/modules/api/apiDBStruct.json
+++ b/modules/api/apiDBStruct.json
@@ -1,13 +1,13 @@
 {
   "users": {
     "tableStruct": {
-      "userID": {
-        "type": "number",
+      "pw": {
+        "type": "text",
         "primary": true,
         "notNull": true
       },
-      "pw": {
-        "type": "text"
+      "userID": {
+        "type": "number"
       },
       "lastIP": {
         "type": "text"
diff --git a/modules/api/auth.middleware.js b/modules/api/auth.middleware.js
index 1f5a681..673680e 100644
--- a/modules/api/auth.middleware.js
+++ b/modules/api/auth.middleware.js
@@ -1,6 +1,8 @@
 const logger = require('../../utils/logger.js')
 const dbtools = require('../../utils/dbtools.js')
 
+// TODO: session
+
 module.exports = function (options) {
   const { debugLog, authDB } = options
 
@@ -9,8 +11,20 @@ module.exports = function (options) {
       logger.Log('AUTH: ' + req.url)
     }
 
-    res.end('NO ACCESS')
+    const user = GetUserByPW(authDB, req.cookies.pw)
 
-    // next()
+    if (user) {
+      next()
+    } else {
+      res.JSON({
+        success: false,
+        msg: 'You dont have permission to acces this site'
+      })
+    }
   }
 }
+
+function GetUserByPW (db, password) {
+  // TODO: find user by password
+  return undefined
+}