diff --git a/lib/src/routes/controllers/auth.dart b/lib/src/routes/controllers/auth.dart
index 194a374..35972ce 100644
--- a/lib/src/routes/controllers/auth.dart
+++ b/lib/src/routes/controllers/auth.dart
@@ -1,16 +1,40 @@
-part of angel.routes.controllers;
+library angel.routes.controllers.auth;
+
+import 'package:angel_auth/angel_auth.dart';
+import 'package:angel_framework/angel_framework.dart';
+import '../../services/user/user.dart';
 
 @Expose("/auth")
 class AuthController extends Controller {
+  final AngelAuth _auth = new AngelAuth();
+
+  _deserializer(String id) async => app.service("api/users").read(id);
+  _serializer(User user) async => user.id;
+
+  /// Attempt to log a user in
+  _verifier(UserService Users) {
+    return (String username, String password) async {
+      List<User> users = await Users.index({"username": username});
+
+      if (users.isNotEmpty) {
+        var hash = hashPassword(password);
+        return users.firstWhere((user) => user.password == hash,
+            orElse: () => null);
+      }
+    };
+  }
+
   @override
   call(Angel app) async {
+    // Wire up local authentication, connected to our User service
+    _auth.serializer = _serializer;
+    _auth.deserializer = _deserializer;
+    _auth.strategies.add(new LocalAuthStrategy(
+        _auth, _verifier(app.container.make(UserService)),
+        forceBasic: true));
+
     await super.call(app);
-
-    app.registerMiddleware("auth", (req, res) async {
-      if (!loggedIn(req)) throw new AngelHttpException.Forbidden();
-
-      return true;
-    });
+    await app.configure(_auth);
   }
 
   bool loggedIn(RequestContext req) => req.session["userId"] != null;
diff --git a/lib/src/routes/controllers/controllers.dart b/lib/src/routes/controllers/controllers.dart
index 8b7ec95..2db2604 100644
--- a/lib/src/routes/controllers/controllers.dart
+++ b/lib/src/routes/controllers/controllers.dart
@@ -1,8 +1,7 @@
 library angel.routes.controllers;
 
 import 'package:angel_framework/angel_framework.dart';
-import '../../services/user/user.dart';
-part 'auth.dart';
+import 'auth.dart';
 
 configureServer(Angel app) async {
   await app.configure(new AuthController());
diff --git a/lib/src/routes/routes.dart b/lib/src/routes/routes.dart
index 347d470..9eb224b 100644
--- a/lib/src/routes/routes.dart
+++ b/lib/src/routes/routes.dart
@@ -15,9 +15,9 @@ configureRoutes(Angel app) async {
 
 configureAfter(Angel app) async {
   // 404 handler
-  app.after.add((req, res) async => res
-    ..status(404)
-    ..render("404", {"path": req.path}));
+  app.after.add((req, ResponseContext res) async {
+    throw new AngelHttpException.NotFound();
+  });
 
   // Default error handler
   app.onError(
diff --git a/lib/src/services/user/user.dart b/lib/src/services/user/user.dart
index 0c73378..358d361 100644
--- a/lib/src/services/user/user.dart
+++ b/lib/src/services/user/user.dart
@@ -15,6 +15,10 @@ configureServer(Db db) {
   };
 }
 
+/// SHA-256 hash any string, particularly a password.
+String hashPassword(String password) =>
+    sha256.convert(password.codeUnits).toString();
+
 /// Manages users.
 ///
 /// Here, we extended the base service class. This allows to only expose
@@ -22,7 +26,7 @@ configureServer(Db db) {
 class UserService extends Service {
   MongoTypedService<User> _inner;
 
-  UserService(DbCollection collection):super() {
+  UserService(DbCollection collection) : super() {
     _inner = new MongoTypedService<User>(collection);
   }
 
@@ -46,9 +50,10 @@ class UserService extends Service {
     try {
       Validate.isKeyInMap("username", data);
       Validate.isEmail(data["email"]);
-      data["password"] = sha256.convert(data["password"].codeUnits).toString();
-    } catch(e) {
-      throw new AngelHttpException.BadRequest(message: "User must have a username, e-mail address and password.");
+      data["password"] = hashPassword(data["password"]);
+    } catch (e) {
+      throw new AngelHttpException.BadRequest(
+          message: "User must have a username, e-mail address and password.");
     }
 
     return _inner.create(data, params);
diff --git a/views/404.mustache b/views/404.mustache
deleted file mode 100644
index 3896919..0000000
--- a/views/404.mustache
+++ /dev/null
@@ -1,50 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
-    <title>404 Not Found</title>
-
-    <link href="https://fonts.googleapis.com/css?family=Lato:100" rel="stylesheet" type="text/css">
-
-    <style>
-        html, body {
-            height: 100%;
-        }
-
-        body {
-            margin: 0;
-            padding: 0;
-            width: 100%;
-            display: table;
-            font-weight: 100;
-            font-family: 'Lato', sans-serif;
-        }
-
-        .container {
-            text-align: center;
-            display: table-cell;
-            vertical-align: middle;
-        }
-
-        .content {
-            text-align: center;
-            display: inline-block;
-        }
-
-        .title {
-            font-size: 96px;
-        }
-
-        .subtitle {
-            font-size: 32px;
-        }
-    </style>
-</head>
-<body>
-<div class="container">
-    <div class="content">
-        <div class="title">404 Not Found</div>
-        <div class="subtitle">No file was found at "{{path}}".</div>
-    </div>
-</div>
-</body>
-</html>
\ No newline at end of file