diff --git a/backend/index.js b/backend/index.js
index 8b79510..be7b6f5 100644
--- a/backend/index.js
+++ b/backend/index.js
@@ -91,11 +91,28 @@ app.all("/*", function (req, res, next) {
     } else return next();
 });
 
+const validatePassword = (email, password) => {
+    return new Promise(function (resolve, reject) {
+        connection.query(`SELECT * from user WHERE email = ${mysql.escape(email)} AND deactivated = 0`, function (err, rows) {
+            if (err) {
+                return reject("error querying the database - Please contact sys admin");
+            }
+            if (!rows.length) {
+                return resolve(false);
+            }
+            if (!bcrypt.compareSync(password, rows[0].password)) {
+                return resolve(false);
+            }
+            return resolve(rows[0]);
+        });
+    });
+}
+
 passport.use('local-login', new LocalStrategy({
     usernameField: "email",
     passwordField: "password",
     passReqToCallback: true
-}, function (req, email, password, done) {
+}, async function (req, email, password, done) {
     if (DEBUG) {
         if (email === "test" && password === "test") {
             return done(null, {
@@ -107,19 +124,18 @@ passport.use('local-login', new LocalStrategy({
             });
         } else return done(null, false);
     }
-    email = mysql.escape(email);
-    connection.query(`SELECT * from user WHERE email = ${email} AND deactivated = 0`, function (err, rows) {
-        if (err) {
-            return res.status(static.INTERNAL_SERVER_ERROR).send("error querying the database - Please contact sys admin");
+    try {
+        let user = await validatePassword(email, password);
+        if (user) {
+            return done(null, user);
         }
-        if (!rows.length) {
+        else {
             return done(null, false);
         }
-        if (!bcrypt.compareSync(password, rows[0].password)) {
-            return done(null, false);
-        }
-        return done(null, rows[0]);
-    })
+    } catch (e) {
+        console.log(e);
+        return done(null, false);
+    }
 }
 ));
 
@@ -149,11 +165,6 @@ app.post("/API/user/login", passport.authenticate('local-login'), function (req,
     return res.status(status.OK).send("login success");
 });
 
-app.delete("/API/user/logout", function (req, res) {
-    req.logout();
-    return res.status(status.OK).send("logout success");
-});
-
 app.put("/API/user/create", function (req, res) {
     let { email, password } = req.body;
     if (email && password) {
@@ -183,6 +194,11 @@ app.get("/API/testlogin", function (req, res) {
     return res.status(status.OK).send(req.user["email"]);
 });
 
+app.delete("/API/user/logout", function (req, res) {
+    req.logout();
+    return res.status(status.OK).send("logout success");
+});
+
 app.get('/API/day', function (req, res) {
     const kind = parseInt(req.query.kind);
     if (Number.isInteger(kind)) {
@@ -277,4 +293,45 @@ app.get('/API/resourcelist', function (req, res) {
     return res.send(resourceList);
 });
 
+app.post("/API/user/setname", async function (req, res) {
+    let { email, password } = req.body;
+    if (email && password) {
+        if (DEBUG) return res.status(status.OK).send();
+        try {
+            if (!await validatePassword(req.user.email, password))
+                return res.status(status.UNAUTHORIZED).send("wrong password supplied");
+        } catch (e) {
+            return res.status(status.INTERNAL_SERVER_ERROR).send(e);
+        }
+        connection.query(`UPDATE user SET email = ${mysql.escape(email)} WHERE email = ${mysql.escape(req.user.email)}`, function (err, rows) {
+            if (err)
+                return res.status(status.INTERNAL_SERVER_ERROR).send("the username seems invalid or already taken - if you think this is an error contact the sys admin");
+            req.user.email = email;
+            return res.status(status.OK).send("username changed");
+        });
+    } else {
+        return res.status(status.BAD_REQUEST).send("invalid data supplied");
+    }
+});
+
+app.post("/API/user/setpassword", async function (req, res) {
+    let { oldpassword, newpassword } = req.body;
+    if (oldpassword && newpassword) {
+        if (DEBUG) return res.status(status.OK).send();
+        try {
+            if (!await validatePassword(req.user.email, oldpassword))
+                return res.status(status.UNAUTHORIZED).send("wrong password supplied");
+        } catch (e) {
+            return res.status(status.INTERNAL_SERVER_ERROR).send(e);
+        }
+        connection.query(`UPDATE user SET password = ${mysql.escape(bcrypt.hashSync(newpassword, saltRounds))} WHERE email = ${mysql.escape(req.user.email)}`, function (err, rows) {
+            if (err)
+                return res.status(status.INTERNAL_SERVER_ERROR).send("the username seems invalid or already taken - if you think this is an error contact the sys admin");
+            return res.status(status.OK).send("username changed");
+        });
+    } else {
+        return res.status(status.BAD_REQUEST).send("invalid data supplied");
+    }
+});
+
 app.listen(3001);