diff --git a/bootstrap/data.go b/bootstrap/data.go
index 589d12a2..32790bef 100644
--- a/bootstrap/data.go
+++ b/bootstrap/data.go
@@ -22,6 +22,7 @@ func initUser() {
 				Password: random.RandomStr(8),
 				Role:     model.ADMIN,
 				BasePath: "/",
+				Webdav:   true,
 			}
 			if err := db.CreateUser(admin); err != nil {
 				panic(err)
@@ -35,6 +36,9 @@ func initUser() {
 		if errors.Is(err, gorm.ErrRecordNotFound) {
 			guest = &model.User{
 				Username: "guest",
+				Password: "guest",
+				ReadOnly: true,
+				Webdav:   true,
 				Role:     model.GUEST,
 				BasePath: "/",
 			}
diff --git a/internal/model/user.go b/internal/model/user.go
index 9122c296..94df5161 100644
--- a/internal/model/user.go
+++ b/internal/model/user.go
@@ -16,7 +16,8 @@ type User struct {
 	Username string `json:"username" gorm:"unique"` // username
 	Password string `json:"password"`               // password
 	BasePath string `json:"base_path"`              // base path
-	ReadOnly bool   `json:"read_only"`              // allow upload
+	ReadOnly bool   `json:"read_only"`              // read only
+	Webdav   bool   `json:"webdav"`                 // allow webdav
 	Role     int    `json:"role"`                   // user's role
 }
 
diff --git a/internal/server/common/common.go b/internal/server/common/common.go
index 06d13d00..a10eee6c 100644
--- a/internal/server/common/common.go
+++ b/internal/server/common/common.go
@@ -11,8 +11,8 @@ type Resp struct {
 	Data    interface{} `json:"data"`
 }
 
-func ErrorResp(c *gin.Context, err error, code int, noLog ...bool) {
-	if len(noLog) != 0 && noLog[0] {
+func ErrorResp(c *gin.Context, err error, code int, l ...bool) {
+	if len(l) != 0 && l[0] {
 		log.Errorf("%+v", err)
 	}
 	c.JSON(200, Resp{
diff --git a/internal/server/controllers/login.go b/internal/server/controllers/login.go
index 92285c59..4a7edf84 100644
--- a/internal/server/controllers/login.go
+++ b/internal/server/controllers/login.go
@@ -3,6 +3,7 @@ package controllers
 import (
 	"github.com/Xhofe/go-cache"
 	"github.com/alist-org/alist/v3/internal/db"
+	"github.com/alist-org/alist/v3/internal/model"
 	"github.com/alist-org/alist/v3/internal/server/common"
 	"github.com/gin-gonic/gin"
 	"time"
@@ -23,7 +24,7 @@ func Login(c *gin.Context) {
 	// check count of login
 	ip := c.ClientIP()
 	count, ok := loginCache.Get(ip)
-	if ok && count > defaultTimes {
+	if ok && count >= defaultTimes {
 		common.ErrorStrResp(c, "Too many unsuccessful sign-in attempts have been made using an incorrect password. Try again later.", 403)
 		loginCache.Expire(ip, defaultDuration)
 		return
@@ -36,12 +37,12 @@ func Login(c *gin.Context) {
 	}
 	user, err := db.GetUserByName(req.Username)
 	if err != nil {
-		common.ErrorResp(c, err, 400, true)
+		common.ErrorResp(c, err, 400)
 		return
 	}
 	// validate password
 	if err := user.ValidatePassword(req.Password); err != nil {
-		common.ErrorResp(c, err, 400, true)
+		common.ErrorResp(c, err, 400)
 		loginCache.Set(ip, count+1)
 		return
 	}
@@ -54,3 +55,10 @@ func Login(c *gin.Context) {
 	common.SuccessResp(c, gin.H{"token": token})
 	loginCache.Del(ip)
 }
+
+// CurrentUser get current user by token
+// if token is empty, return guest user
+func CurrentUser(c *gin.Context) {
+	user := c.MustGet("user").(*model.User)
+	common.SuccessResp(c, gin.H{"user": user})
+}
diff --git a/internal/server/middlewares/auth.go b/internal/server/middlewares/auth.go
index 3f1aed4c..9e757b40 100644
--- a/internal/server/middlewares/auth.go
+++ b/internal/server/middlewares/auth.go
@@ -6,8 +6,16 @@ import (
 	"github.com/gin-gonic/gin"
 )
 
-func AuthAdmin(c *gin.Context) {
+// Auth is a middleware that checks if the user is logged in.
+// if token is empty, set user to guest
+func Auth(c *gin.Context) {
 	token := c.GetHeader("Authorization")
+	if token == "" {
+		guest, _ := db.GetGuest()
+		c.Set("user", guest)
+		c.Next()
+		return
+	}
 	userClaims, err := common.ParseToken(token)
 	if err != nil {
 		common.ErrorResp(c, err, 401)
diff --git a/internal/server/router.go b/internal/server/router.go
index ecf58517..009418fb 100644
--- a/internal/server/router.go
+++ b/internal/server/router.go
@@ -4,6 +4,7 @@ import (
 	"github.com/alist-org/alist/v3/internal/conf"
 	"github.com/alist-org/alist/v3/internal/server/common"
 	"github.com/alist-org/alist/v3/internal/server/controllers"
+	"github.com/alist-org/alist/v3/internal/server/middlewares"
 	"github.com/gin-contrib/cors"
 	"github.com/gin-gonic/gin"
 )
@@ -12,8 +13,9 @@ func Init(r *gin.Engine) {
 	common.SecretKey = []byte(conf.Conf.JwtSecret)
 	Cors(r)
 
-	api := r.Group("/api")
+	api := r.Group("/api", middlewares.Auth)
 	api.POST("/user/login", controllers.Login)
+	api.GET("/user/current", controllers.CurrentUser)
 }
 
 func Cors(r *gin.Engine) {