diff --git a/assets/index.js b/assets/index.js
index 7ddf6fd..c9b051b 100644
--- a/assets/index.js
+++ b/assets/index.js
@@ -534,7 +534,7 @@ async function setupAuth() {
     $loginBtn.classList.remove("hidden");
     $loginBtn.addEventListener("click", async () => {
       try {
-        await checkAuth();
+        await checkAuth("login");
       } catch { }
       location.reload();
     });
@@ -782,9 +782,10 @@ async function saveChange() {
   }
 }
 
-async function checkAuth() {
+async function checkAuth(variant) {
   if (!DATA.auth) return;
-  const res = await fetch(baseUrl(), {
+  const qs = variant ? `?${variant}` : "";
+  const res = await fetch(baseUrl() + qs, {
     method: "CHECKAUTH",
   });
   await assertResOK(res);
diff --git a/src/server.rs b/src/server.rs
index 870b33a..8028f93 100644
--- a/src/server.rs
+++ b/src/server.rs
@@ -211,7 +211,18 @@ impl Server {
         }
 
         if method.as_str() == "CHECKAUTH" {
-            *res.body_mut() = body_full(user.clone().unwrap_or_default());
+            match user.clone() {
+                Some(user) => {
+                    *res.body_mut() = body_full(user);
+                }
+                None => {
+                    if has_query_flag(&query_params, "login") || !access_paths.perm().readwrite() {
+                        self.auth_reject(&mut res)?
+                    } else {
+                        *res.body_mut() = body_full("");
+                    }
+                }
+            }
             return Ok(res);
         } else if method.as_str() == "LOGOUT" {
             self.auth_reject(&mut res)?;