diff --git a/src/mtgcoll/auth.clj b/src/mtgcoll/auth.clj
new file mode 100644
index 0000000..e12cd08
--- /dev/null
+++ b/src/mtgcoll/auth.clj
@@ -0,0 +1,15 @@
+(ns mtgcoll.auth
+  (:require
+    [mtgcoll.config :as config]))
+
+(defn using-authorization?
+  []
+  (boolean (seq (config/get :users))))
+
+(defn validate-credentials
+  [username password]
+  (if (using-authorization?)
+    (->> (config/get :users)
+         (filter #(and (= username (:username %))
+                       (= password (:password %))))
+         (first))))
diff --git a/src/mtgcoll/middleware.clj b/src/mtgcoll/middleware.clj
new file mode 100644
index 0000000..647e502
--- /dev/null
+++ b/src/mtgcoll/middleware.clj
@@ -0,0 +1,13 @@
+(ns mtgcoll.middleware
+  (:require
+    [webtools.response :as response]
+    [mtgcoll.auth :as auth]))
+
+(defn wrap-authenticated
+  [handler]
+  (fn [request]
+    (if (or (not (auth/using-authorization?))
+            (get-in request [:session :user]))
+      (handler request)
+      (-> (response/content "unauthorized")
+          (response/status 401)))))
\ No newline at end of file
diff --git a/src/mtgcoll/routes/auth.clj b/src/mtgcoll/routes/auth.clj
index defd0d4..c7c62dd 100644
--- a/src/mtgcoll/routes/auth.clj
+++ b/src/mtgcoll/routes/auth.clj
@@ -4,15 +4,12 @@
     [compojure.core :refer [routes GET POST]]
     [webtools.response :as response]
     [webtools.session :as session]
-    [mtgcoll.config :as config]))
+    [mtgcoll.auth :as auth]))
 
 (def auth-routes
   (routes
     (POST "/login" [username password :as request]
-      (if-let [user (->> (config/get :users)
-                         (filter #(and (= username (:username %))
-                                       (= password (:password %))))
-                         (first))]
+      (if-let [user (auth/validate-credentials username password)]
         (do
           (log/info username " logged in.")
           (-> (response/content "ok")
diff --git a/src/mtgcoll/routes/collection.clj b/src/mtgcoll/routes/collection.clj
index 25563a6..15caaec 100644
--- a/src/mtgcoll/routes/collection.clj
+++ b/src/mtgcoll/routes/collection.clj
@@ -2,14 +2,18 @@
   (:require
     [compojure.core :refer [routes GET POST]]
     [webtools.response :as response]
+    [webtools.routes.core :refer [wrap-middleware]]
+    [mtgcoll.middleware :refer [wrap-authenticated]]
     [mtgcoll.models.collection :as collection]))
 
 (def collection-routes
-  (routes
-    (POST "/collection/add" [card-id quality foil]
-      (collection/add-to-collection! card-id quality foil)
-      (response/json {:status "ok"}))
+  (wrap-middleware
+    (routes
+      (POST "/collection/add" [card-id quality foil :as request]
+        (collection/add-to-collection! card-id quality foil)
+        (response/json {:status "ok"}))
 
-    (POST "/collection/remove" [card-id quality foil]
-      (collection/remove-from-collection! card-id quality foil)
-      (response/json {:status "ok"}))))
+      (POST "/collection/remove" [card-id quality foil :as request]
+        (collection/remove-from-collection! card-id quality foil)
+        (response/json {:status "ok"})))
+    (wrap-authenticated)))