diff --git a/api/kiwi_vpn_api/db/schemas.py b/api/kiwi_vpn_api/db/schemas.py
index 9e5f4a2..a1fbdf1 100644
--- a/api/kiwi_vpn_api/db/schemas.py
+++ b/api/kiwi_vpn_api/db/schemas.py
@@ -76,8 +76,8 @@ class UserCreate(UserBase):
 
 
 class User(UserBase):
-    certificates: list[Certificate]
-    capabilities: list[UserCapability]
+    certificates: list[Certificate] = []
+    capabilities: list[UserCapability] = []
 
     class Config:
         orm_mode = True
@@ -109,29 +109,6 @@ class User(UserBase):
 
         return cls.from_orm(db_user)
 
-    @classmethod
-    def authenticate(
-        cls,
-        db: Session,
-        name: str,
-        password: str,
-        crypt_context: CryptContext,
-    ) -> User | None:
-        """
-        Authenticate with name/password against users in database.
-        """
-
-        if (db_user := models.User.load(db, name)) is None:
-            # nonexistent user, fake doing password verification
-            crypt_context.dummy_verify()
-            return None
-
-        if not crypt_context.verify(password, db_user.password):
-            # password hash mismatch
-            return None
-
-        return cls.from_orm(db_user)
-
     @classmethod
     def create(
         cls,
@@ -160,6 +137,29 @@ class User(UserBase):
             # user already existed
             pass
 
+    def authenticate(
+        self,
+        db: Session,
+        password: str,
+        crypt_context: CryptContext,
+    ) -> User | None:
+        """
+        Authenticate with name/password against users in database.
+        """
+
+        if (db_user := models.User.load(db, self.name)) is None:
+            # nonexistent user, fake doing password verification
+            crypt_context.dummy_verify()
+            return False
+
+        if not crypt_context.verify(password, db_user.password):
+            # password hash mismatch
+            return False
+
+        self.from_orm(db_user)
+
+        return True
+
     def add_capabilities(
         self,
         db: Session,
diff --git a/api/kiwi_vpn_api/routers/user.py b/api/kiwi_vpn_api/routers/user.py
index 8d466df..10b9f00 100644
--- a/api/kiwi_vpn_api/routers/user.py
+++ b/api/kiwi_vpn_api/routers/user.py
@@ -39,15 +39,13 @@ async def login(
         raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST)
 
     # try logging in
-    user = User.authenticate(
+    user = User(name=form_data.username)
+    if not user.authenticate(
         db=db,
-        name=form_data.username,
         password=form_data.password,
         crypt_context=await current_config.crypto.crypt_context,
-    )
-
-    # authentication failed
-    if user is None:
+    ):
+        # authentication failed
         raise HTTPException(
             status_code=status.HTTP_401_UNAUTHORIZED,
             detail="Could not validate credentials",