diff --git a/cmd/wg-portal/ui/pages_core.go b/cmd/wg-portal/ui/pages_core.go
index 38067ea..da80272 100644
--- a/cmd/wg-portal/ui/pages_core.go
+++ b/cmd/wg-portal/ui/pages_core.go
@@ -114,18 +114,24 @@
 
 		// Validate form input
 		if strings.Trim(username, " ") == "" || strings.Trim(password, " ") == "" {
-			c.Redirect(http.StatusSeeOther, "/auth/login?err=missingdata")
+			h.redirectWithFlash(c, "/auth/login", FlashData{Message: "Please fill out all fields", Type: "danger"})
 			return
 		}
 
-		// TODO: implement db authentication
-		/*c.HTML(http.StatusOK, "login.html", gin.H{
-			"HasError": authError != "",
-			"Message":  errMsg,
-			"DeepLink": deepLink,
-			"Static":   h.getStaticData(),
-			"Csrf":     csrf.GetToken(c),
-		})*/
+		user, err := h.passwordAuthentication(persistence.UserIdentifier(username), password)
+		if err != nil {
+			h.redirectWithFlash(c, "/auth/login", FlashData{Message: "Login failed", Type: "danger"})
+			return
+		}
+
+		authSession := h.session.DefaultSessionData()
+		authSession.LoggedIn = true
+		authSession.UserIdentifier = user.Identifier
+		authSession.IsAdmin = user.IsAdmin
+		authSession.Firstname = user.Firstname
+		authSession.Lastname = user.Lastname
+		authSession.Email = user.Email
+		h.session.SetData(c, authSession)
 
 		nextUrl := "/"
 		if currentSession.DeeplLink != "" {
@@ -234,14 +240,18 @@
 	}
 }
 
-func (h *handler) passwordAuthentication(username, password string) (*persistence.User, error) {
-	err := h.backend.PlaintextAuthentication(persistence.UserIdentifier(username), password)
+func (h *handler) passwordAuthentication(identifier persistence.UserIdentifier, password string) (*persistence.User, error) {
+	user, err := h.backend.GetUser(identifier)
+	if err != nil {
+		return nil, errors.WithMessage(err, "user not found")
+	}
+
+	err = h.backend.PlaintextAuthentication(identifier, password)
 	if err != nil {
 		return nil, errors.WithMessage(err, "failed to authenticate")
 	}
 
-	// TODO
-	return nil, nil
+	return user, nil
 }
 
 func (h *handler) getAuthenticatorConfig(id string) (interface{}, error) {
diff --git a/internal/user/authentication.go b/internal/user/authentication.go
index 2e81a72..823330d 100644
--- a/internal/user/authentication.go
+++ b/internal/user/authentication.go
@@ -14,6 +14,14 @@
 		return errors.WithMessagef(err, "unable to load user %s", userId)
 	}
 
+	if user.Source == persistence.UserSourceOauth {
+		return errors.New("password authentication unavailable")
+	}
+
+	if user.Password == "" {
+		return errors.New("password authentication unavailable")
+	}
+
 	if err := bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(plainPassword)); err != nil {
 		return errors.WithMessage(err, "invalid password")
 	}
@@ -27,6 +35,14 @@
 		return errors.WithMessagef(err, "unable to load user %s", userId)
 	}
 
+	if user.Source == persistence.UserSourceOauth {
+		return errors.New("password authentication unavailable")
+	}
+
+	if user.Password == "" {
+		return errors.New("password authentication unavailable")
+	}
+
 	if subtle.ConstantTimeCompare([]byte(user.Password), []byte(hashedPassword)) != 1 {
 		return errors.New("invalid password")
 	}