--- a/controllers/token.go	Mon Jul 30 17:30:08 2018 +0200
+++ b/controllers/token.go	Tue Jul 31 11:08:31 2018 +0200
@@ -9,6 +9,13 @@
 	"gemma.intevation.de/gemma/auth"
 )
 
+func sendJSON(rw http.ResponseWriter, data interface{}) {
+	rw.Header().Set("Content-Type", "application/json")
+	if err := json.NewEncoder(rw).Encode(data); err != nil {
+		log.Printf("error: %v\n", err)
+	}
+}
+
 func renew(rw http.ResponseWriter, req *http.Request) {
 	token, _ := auth.GetToken(req)
 	newToken, err := auth.ConnPool.Renew(token)
@@ -35,10 +42,7 @@
 		Roles:   session.Roles,
 	}
 
-	rw.Header().Set("Content-Type", "text/plain")
-	if err := json.NewEncoder(rw).Encode(&result); err != nil {
-		log.Printf("error: %v\n", err)
-	}
+	sendJSON(rw, &result)
 }
 
 func logout(rw http.ResponseWriter, req *http.Request) {
@@ -53,11 +57,18 @@
 }
 
 func login(rw http.ResponseWriter, req *http.Request) {
-	user := req.FormValue("user")
-	password := req.FormValue("password")
+
+	var (
+		user     = req.FormValue("user")
+		password = req.FormValue("password")
+	)
+
+	if user == "" || password == "" {
+		http.Error(rw, "Invalid credentials", http.StatusBadRequest)
+		return
+	}
 
 	token, session, err := auth.GenerateSession(user, password)
-
 	if err != nil {
 		http.Error(rw, fmt.Sprintf("error: %v", err), http.StatusInternalServerError)
 		return
@@ -75,8 +86,5 @@
 		Roles:   session.Roles,
 	}
 
-	rw.Header().Set("Content-Type", "application/json")
-	if err := json.NewEncoder(rw).Encode(&result); err != nil {
-		log.Printf("error: %v\n", err)
-	}
+	sendJSON(rw, &result)
 }