diff --git a/admin/handlers.go b/admin/handlers.go
index 282e885..d747382 100644
--- a/admin/handlers.go
+++ b/admin/handlers.go
@@ -7,10 +7,11 @@ import (
   "github.com/gofiber/fiber/v2"
   "MY/webapp/data"
   . "MY/webapp/common"
+  "MY/webapp/auth"
 )
 
 func GetApiTableIndex(c *fiber.Ctx) error {
-  _, err := CheckAuthed(c, true)
+  _, err := auth.Check(c, true)
   if err != nil { return c.Redirect("/") }
 
   var tables []string
@@ -23,7 +24,7 @@ func GetApiTableIndex(c *fiber.Ctx) error {
 }
 
 func GetApiSelectAll(c *fiber.Ctx) error {
-  _, err := CheckAuthed(c, true)
+  _, err := auth.Check(c, true)
   if err != nil { return c.Redirect("/") }
 
   table := c.Params("table")
@@ -49,14 +50,14 @@ func GetApiSelectAll(c *fiber.Ctx) error {
 }
 
 func GetPageSelectAll(c *fiber.Ctx) error {
-  _, err := CheckAuthed(c, true)
+  _, err := auth.Check(c, true)
   if err != nil { return c.Redirect("/") }
 
   return c.Render("admin/table/contents", fiber.Map{"Table": c.Params("table")})
 }
 
 func GetApiSelectOne(c *fiber.Ctx) error {
-  _, err := CheckAuthed(c, true)
+  _, err := auth.Check(c, true)
   if err != nil { return c.Redirect("/") }
 
   table := c.Params("table")
@@ -72,7 +73,7 @@ func GetApiSelectOne(c *fiber.Ctx) error {
 }
 
 func GetPageSelectOne(c *fiber.Ctx) error {
-  _, err := CheckAuthed(c, true)
+  _, err := auth.Check(c, true)
   if err != nil { return c.Redirect("/") }
 
   table := c.Params("table")
@@ -86,7 +87,7 @@ func GetPageSelectOne(c *fiber.Ctx) error {
 }
 
 func PostApiUpdate(c *fiber.Ctx) error {
-  _, err := CheckAuthed(c, true)
+  _, err := auth.Check(c, true)
   if err != nil { return c.Redirect("/") }
 
   table := c.Params("table")
@@ -101,7 +102,7 @@ func PostApiUpdate(c *fiber.Ctx) error {
 }
 
 func GetPageInsert(c *fiber.Ctx) error {
-  _, err := CheckAuthed(c, true)
+  _, err := auth.Check(c, true)
   if err != nil { return c.Redirect("/") }
 
   table := c.Params("table")
@@ -109,7 +110,7 @@ func GetPageInsert(c *fiber.Ctx) error {
 }
 
 func GetApiInsert(c *fiber.Ctx) error {
-  _, err := CheckAuthed(c, true)
+  _, err := auth.Check(c, true)
   if err != nil { return c.Redirect("/") }
 
   table := c.Params("table")
@@ -119,7 +120,7 @@ func GetApiInsert(c *fiber.Ctx) error {
 }
 
 func PostApiInsert(c *fiber.Ctx) error {
-  _, err := CheckAuthed(c, true)
+  _, err := auth.Check(c, true)
   if err != nil { return c.Redirect("/") }
 
   table := c.Params("table")
@@ -135,7 +136,7 @@ func PostApiInsert(c *fiber.Ctx) error {
 }
 
 func DeleteApi(c *fiber.Ctx) error {
-  _, err := CheckAuthed(c, true)
+  _, err := auth.Check(c, true)
   if err != nil { return c.Redirect("/") }
 
   table := c.Params("table")
@@ -150,7 +151,7 @@ func DeleteApi(c *fiber.Ctx) error {
 }
 
 func GetPageAdminIndex(c *fiber.Ctx) error {
-  _, err := CheckAuthed(c, true)
+  _, err := auth.Check(c, true)
   if err != nil { return c.Redirect("/") }
 
   return c.Render("admin/table/index", fiber.Map{})
diff --git a/api/handlers.go b/api/handlers.go
index cfb2a4c..18a56d9 100644
--- a/api/handlers.go
+++ b/api/handlers.go
@@ -5,24 +5,14 @@ import (
   "time"
 
   "github.com/gofiber/fiber/v2"
-  "github.com/gofiber/fiber/v2/middleware/session"
-  "MY/webapp/common"
 )
 
 func Setup(app *fiber.App) {
-  common.STORE = session.New()
-
   // this forces static pages to reload
   app.Static("/", "./public", fiber.Static{
     Compress: false,
     CacheDuration: 1 * time.Nanosecond,
   })
-
-  // api/auth.go
-  app.Get("/api/authcheck", GetApiAuthCheck)
-  app.Get("/api/logout", GetApiLogout)
-  app.Post("/api/register", PostApiRegister)
-  app.Post("/api/login", PostApiLogin)
 }
 
 func Shutdown() {
diff --git a/api/auth.go b/auth/handlers.go
similarity index 86%
rename from api/auth.go
rename to auth/handlers.go
index c4c6d05..11e88d0 100644
--- a/api/auth.go
+++ b/auth/handlers.go
@@ -1,4 +1,4 @@
-package api
+package auth
 
 import (
   "github.com/gofiber/fiber/v2"
@@ -10,7 +10,7 @@ import (
 )
 
 func GetApiAuthCheck(c *fiber.Ctx) error {
-  _, err := CheckAuthed(c, false)
+  _, err := Check(c, false)
   // auth failure or not authed is determined by err, with nil meaning YES AUTHED
   return c.JSON(fiber.Map{"is_authed": err == nil})
 }
@@ -63,3 +63,11 @@ func PostApiLogin(c *fiber.Ctx) error {
     return c.Redirect("/login/")
   }
 }
+
+
+func Setup(app *fiber.App) {
+  app.Get("/api/authcheck", GetApiAuthCheck)
+  app.Get("/api/logout", GetApiLogout)
+  app.Post("/api/register", PostApiRegister)
+  app.Post("/api/login", PostApiLogin)
+}
diff --git a/auth/helpers.go b/auth/helpers.go
new file mode 100644
index 0000000..a463f06
--- /dev/null
+++ b/auth/helpers.go
@@ -0,0 +1,76 @@
+package auth
+
+import (
+  "errors"
+  "golang.org/x/crypto/bcrypt"
+  "log"
+
+  "github.com/gofiber/fiber/v2"
+  _ "github.com/mattn/go-sqlite3"
+  sq "github.com/Masterminds/squirrel"
+  "github.com/gofiber/fiber/v2/middleware/session"
+
+  "MY/webapp/data"
+  "MY/webapp/config"
+  "MY/webapp/common"
+)
+
+func IsAdmin(user *data.User) bool {
+  return user.Username == config.Settings.Admin
+}
+
+func Check(c *fiber.Ctx, needs_admin bool) (*session.Session, error) {
+  sess, err := common.STORE.Get(c)
+  if err != nil { return sess, err }
+
+  // BUG: this has to come from the databse, just temporary
+  admin := sess.Get("admin") == true
+  authed := sess.Get("authenticated") == true
+
+  if needs_admin {
+    authed = admin && authed
+    log.Printf("after needs_admin block: authed=%v", authed)
+  }
+
+  if authed {
+    log.Println("user is authed, return nil and sess")
+    return sess, nil
+  } else {
+    log.Println("user is NOT authed, return error")
+    return sess, errors.New("Authentication, permission failure")
+  }
+}
+
+func LogoutUser(c *fiber.Ctx) error {
+  sess, err := common.STORE.Get(c)
+  if err != nil { return err }
+
+  err = sess.Destroy()
+  if err != nil { return err }
+
+  err = sess.Save()
+  return err
+}
+
+func LoginUser(result *data.User, login *data.Login) (bool, error) {
+  sql, args, err := sq.Select("username, password").
+      From("user").Where("username=?", login.Username).ToSql()
+
+  if err != nil { return false, err }
+
+  err = data.DB.Get(result, sql, args...)
+  if err != nil { return false, err }
+
+  pass_good := bcrypt.CompareHashAndPassword([]byte(result.Password), []byte(login.Password))
+  if pass_good != nil { return false, pass_good }
+
+  return login.Username == result.Username && pass_good == nil, nil
+}
+
+func SetUserPassword(user *data.User) error {
+  hashed, err := bcrypt.GenerateFromPassword([]byte(user.Password), 12)
+  if err != nil { return err }
+
+  user.Password = string(hashed)
+  return nil
+}
diff --git a/common/web.go b/common/web.go
index fe2686c..ffcdcd1 100644
--- a/common/web.go
+++ b/common/web.go
@@ -3,8 +3,11 @@ package common
 import (
   "strings"
   "github.com/gofiber/fiber/v2"
+  "github.com/gofiber/fiber/v2/middleware/session"
 )
 
+var STORE *session.Store
+
 func Page(path string) (func(c *fiber.Ctx) error) {
   page_id := strings.ReplaceAll(path, "/", "-") + "-page"
 
diff --git a/main.go b/main.go
index f7f085f..9aedef0 100644
--- a/main.go
+++ b/main.go
@@ -8,6 +8,7 @@ import (
   "github.com/gofiber/fiber/v2"
   "github.com/gofiber/fiber/v2/middleware/logger"
   "github.com/gofiber/template/html/v2"
+  "github.com/gofiber/fiber/v2/middleware/session"
 
   _ "github.com/mattn/go-sqlite3"
   recov "github.com/gofiber/fiber/v2/middleware/recover"
@@ -16,6 +17,8 @@ import (
   "MY/webapp/data"
   "MY/webapp/config"
   "MY/webapp/admin"
+  "MY/webapp/common"
+  "MY/webapp/auth"
 )
 
 func main() {
@@ -37,7 +40,10 @@ func main() {
   app.Use(logger.New())
   app.Use(recov.New())
 
+  common.STORE = session.New()
+
   data.Setup(config.Settings.Database.Driver, config.Settings.Database.Url)
+  auth.Setup(app)
   api.Setup(app)
   admin.Setup(app)