diff --git a/src/model/user.rs b/src/model/user.rs
index c9d6a63..f46ba6e 100644
--- a/src/model/user.rs
+++ b/src/model/user.rs
@@ -29,6 +29,7 @@ pub enum LoginError {
     NotAnAdmin,
     NotACox,
     NoPasswordSet(User),
+    DeserializationError,
 }
 
 impl User {
@@ -162,10 +163,12 @@ impl<'r> FromRequest<'r> for User {
 
     async fn from_request(req: &'r Request<'_>) -> request::Outcome<Self, Self::Error> {
         match req.cookies().get_private("loggedin_user") {
-            Some(user) => {
-                let user: User = serde_json::from_str(user.value()).unwrap(); //TODO: fixme
-                Outcome::Success(user)
-            }
+            Some(user) => match serde_json::from_str(user.value()) {
+                Ok(user) => Outcome::Success(user),
+                Err(_) => {
+                    Outcome::Failure((Status::Unauthorized, LoginError::DeserializationError))
+                }
+            },
             None => Outcome::Failure((Status::Unauthorized, LoginError::NotLoggedIn)),
         }
     }
@@ -200,15 +203,13 @@ impl<'r> FromRequest<'r> for CoxUser {
     type Error = LoginError;
 
     async fn from_request(req: &'r Request<'_>) -> request::Outcome<Self, Self::Error> {
-        match req.cookies().get_private("loggedin_user") {
-            Some(user) => {
-                let user: User = serde_json::from_str(user.value()).unwrap(); //TODO: fixme
-                match user.try_into() {
-                    Ok(user) => Outcome::Success(user),
-                    Err(_) => Outcome::Failure((Status::Unauthorized, LoginError::NotAnAdmin)),
-                }
-            }
-            None => Outcome::Failure((Status::Unauthorized, LoginError::NotLoggedIn)),
+        match User::from_request(req).await {
+            Outcome::Success(user) => match user.try_into() {
+                Ok(user) => Outcome::Success(user),
+                Err(_) => Outcome::Failure((Status::Unauthorized, LoginError::NotACox)),
+            },
+            Outcome::Failure(f) => Outcome::Failure(f),
+            Outcome::Forward(f) => Outcome::Forward(f),
         }
     }
 }
@@ -235,15 +236,13 @@ impl<'r> FromRequest<'r> for AdminUser {
     type Error = LoginError;
 
     async fn from_request(req: &'r Request<'_>) -> request::Outcome<Self, Self::Error> {
-        match req.cookies().get_private("loggedin_user") {
-            Some(user) => {
-                let user: User = serde_json::from_str(user.value()).unwrap(); //TODO: fixme
-                match user.try_into() {
-                    Ok(user) => Outcome::Success(user),
-                    Err(_) => Outcome::Failure((Status::Unauthorized, LoginError::NotAnAdmin)),
-                }
-            }
-            None => Outcome::Failure((Status::Unauthorized, LoginError::NotLoggedIn)),
+        match User::from_request(req).await {
+            Outcome::Success(user) => match user.try_into() {
+                Ok(user) => Outcome::Success(user),
+                Err(_) => Outcome::Failure((Status::Unauthorized, LoginError::NotAnAdmin)),
+            },
+            Outcome::Failure(f) => Outcome::Failure(f),
+            Outcome::Forward(f) => Outcome::Forward(f),
         }
     }
 }