diff --git a/auth/auth.go b/auth/auth.go
index bc218d0..08560af 100644
--- a/auth/auth.go
+++ b/auth/auth.go
@@ -1,6 +1,8 @@
 package auth
 
 import (
+	"errors"
+
 	"github.com/MarekWojt/gertdns/util"
 	"github.com/raja/argon2pw"
 )
@@ -56,11 +58,11 @@ func (selfUser *userRaw) Tidy() (user, error) {
 func IsPasswordAuthenticated(request PasswordAuthenticationRequest) (bool, error) {
 	currentUser, found := parsedUsers[request.User]
 	if !found {
-		return false, nil
+		return false, errors.New("user does not exist")
 	}
 
 	if _, ok := currentUser.domains[request.Domain]; !ok {
-		return false, nil
+		return false, errors.New("user does not have access to this domain")
 	}
 
 	return currentUser.Authenticate(request.Password)
diff --git a/web/web.go b/web/web.go
index bb8a303..95cba4c 100644
--- a/web/web.go
+++ b/web/web.go
@@ -189,6 +189,12 @@ func authenticatedRequest(request func(ctx *fasthttp.RequestCtx)) func(ctx *fast
 		}
 
 		authenticated, err := auth.IsPasswordAuthenticated(authRequest)
+		if err != nil && !authenticated {
+			ctx.WriteString("Authentication failed: " + err.Error())
+			ctx.SetStatusCode(fasthttp.StatusForbidden)
+			return
+		}
+
 		if err != nil {
 			ctx.WriteString("Internal server error")
 			ctx.SetStatusCode(fasthttp.StatusInternalServerError)