diff --git a/app/auth/controller.tsx b/app/auth/controller.tsx
index 6c316e9..e2a29f5 100644
--- a/app/auth/controller.tsx
+++ b/app/auth/controller.tsx
@@ -1,46 +1,43 @@
+import { completeAuth, verifyCredentials } from "remix/auth"
 import { parse } from "remix/data-schema"
 import type { Controller } from "remix/fetch-router"
-import { createRedirectResponse as redirect } from "remix/response/redirect"
+import { redirect } from "remix/response/redirect"
 import { Session } from "remix/session"
 
 import { Document } from "../components/document.tsx"
-import { loadAuth } from "../middleware/auth.ts"
+import { getPostAuthRedirect, getReturnToQuery, passwordProvider } from "../middleware/auth.ts"
 import {
-	authenticateUser,
 	createPasswordResetToken,
 	createUser,
 	getUserByEmail,
 	joinSchema,
-	loginSchema,
 	resetPassword,
 } from "../models/user.ts"
 import { routes } from "../routes.ts"
 import { render } from "../utils/render.ts"
 
 export const auth = {
-	middleware: [loadAuth()],
+	middleware: [],
 	actions: {
 		login: {
 			actions: {
 				index({ get, url }) {
 					let session = get(Session)
 					let error = session.get("error")
-					let formAction = routes.auth.login.action.href(undefined, {
-						returnTo: url.searchParams.get("returnTo"),
-					})
+					let formAction = routes.auth.login.action.href(undefined, getReturnToQuery(url))
 
 					return render(
 						<Document url={url} head={<title>Login - Remix Wordle</title>}>
 							<main class="h-dvh">
-								{error && typeof error === "string" ? (
-									<div class="text-red-500">{error}</div>
-								) : null}
 								<form
 									method="post"
 									class="mx-auto flex h-full w-full max-w-md flex-col items-center justify-center space-y-6 px-8"
 									action={formAction}
-								>
+									>
 									<div class="w-full">
+									{error && typeof error === "string" ? (
+										<div class="text-red-500 mb-1">{error}</div>
+									) : null}
 										<label htmlFor="email" class="block text-sm font-medium text-gray-700">
 											Email address
 										</label>
@@ -90,28 +87,36 @@ export const auth = {
 					)
 				},
 
-				async action({ get, url }) {
-					let session = get(Session)
-					let formData = get(FormData)
-					let result = parse(loginSchema, formData)
-					let returnTo = url.searchParams.get("returnTo")
-
-					let user = await authenticateUser(result.email, result.password)
-					if (!user) {
-						session.flash("error", "Invalid email or password. Please try again.")
-						return redirect(routes.auth.login.index.href(undefined, { returnTo }))
+				async action(context) {
+					try {
+						let user = await verifyCredentials(passwordProvider, context)
+
+						if (user == null) {
+							let session = context.get(Session)
+							session.flash("error", "Invalid email or password. Please try again.")
+							return redirect(
+								routes.auth.login.index.href(undefined, getReturnToQuery(context.url)),
+							)
+						}
+
+						let session = completeAuth(context)
+						session.set("auth", { userId: user.id })
+						return redirect(getPostAuthRedirect(context.url))
+					} catch (error) {
+						let session = context.get(Session)
+						session.flash("error", "We could not complete that sign-in request.")
+						return redirect(routes.auth.login.index.href(undefined, getReturnToQuery(context.url)))
 					}
-
-					session.set("auth", {userId: user.id})
-
-					return redirect(returnTo ?? routes.home.index.href())
 				},
 			},
 		},
 
 		register: {
 			actions: {
-				index({ url }) {
+				index({ get, url }) {
+					let session = get(Session)
+					let error = session.get("error")
+
 					return render(
 						<Document url={url} head={<title>Login - Remix Wordle</title>}>
 							<main class="h-dvh">
@@ -119,7 +124,10 @@ export const auth = {
 									method="POST"
 									action={routes.auth.register.action.href()}
 									class="mx-auto flex h-full w-full max-w-md flex-col items-center justify-center space-y-6 px-8"
-								>
+									>
+									{error && typeof error === "string" ? (
+										<div class="text-red-500 mb-1">{error}</div>
+									) : null}
 									<div class="w-full">
 										<label class="block text-sm font-medium text-gray-700" for="email">
 											Email address
@@ -188,44 +196,23 @@ export const auth = {
 
 					// Check if user already exists
 					if (await getUserByEmail(result.email)) {
-						return render(
-							<Document url={url} head={<title>Login - Remix Wordle</title>}>
-								<div class="card" style="max-width: 500px; margin: 2rem auto;">
-									<div class="alert alert-error">An account with this email already exists.</div>
-									<p>
-										<a href={routes.auth.register.index.href()} class="btn">
-											Back to Register
-										</a>
-										<a
-											href={routes.auth.login.index.href()}
-											class="btn btn-secondary"
-											style="margin-left: 0.5rem;"
-										>
-											Login
-										</a>
-									</p>
-								</div>
-							</Document>,
-							{ status: 400 },
-						)
+						session.flash("error", "An account with this email already exists.")
+						return redirect(routes.auth.register.index.href(undefined, getReturnToQuery(url)))
 					}
 
-					let user = await createUser({
-						email: result.email,
-						username: result.username,
-						password: result.password,
-					})
+					let user = await createUser(result)
 
-					session.set("auth", {auth: user.id})
+					session.set("auth", { userId: user.id })
 
 					return redirect(routes.home.index.href())
 				},
 			},
 		},
 
-		logout({ get }) {
-			let session = get(Session)
-			session.destroy()
+		logout(context) {
+			let session = context.get(Session)
+			session.unset("auth")
+			session.regenerateId(true)
 			return redirect(routes.home.index.href())
 		},
 
diff --git a/app/history/controller.tsx b/app/history/controller.tsx
index ed62c5d..453a9ec 100644
--- a/app/history/controller.tsx
+++ b/app/history/controller.tsx
@@ -1,9 +1,11 @@
+import { Auth, type BadAuth, type GoodAuth } from "remix/auth-middleware"
 import type { Controller } from "remix/fetch-router"
+import { redirect } from "remix/response/redirect"
 
-import { requireAuth } from "../middleware/auth.ts"
+import { getReturnToQuery, requireAuth } from "../middleware/auth.ts"
 import { getGameById, isGameComplete } from "../models/game.ts"
 import { routes } from "../routes.ts"
-import { getCurrentUser } from "../utils/context.ts"
+import type { AuthIdentity } from "../utils/auth-session.ts"
 import { db } from "../utils/db.ts"
 import { render } from "../utils/render.ts"
 import { HistoricalGame } from "./game.tsx"
@@ -15,13 +17,16 @@ import {
 import { GameNotFound } from "./not-found-page.tsx"
 
 export let history = {
-	middleware: [requireAuth()],
+	middleware: [requireAuth],
 	actions: {
-		async index({ url }) {
-			let user = getCurrentUser()
+		async index(context) {
+			let auth = context.get(Auth) as GoodAuth<AuthIdentity> | BadAuth
+			if (auth.ok === false) {
+				return redirect(routes.auth.login.index.href(undefined, getReturnToQuery(context.url)))
+			}
 
 			let games = await db.game.findMany({
-				where: { userId: user.id },
+				where: { userId: auth.identity.user.id },
 				orderBy: { createdAt: "desc" },
 				select: HISTORICAL_GAME_SELECT,
 			})
@@ -30,7 +35,7 @@ export let history = {
 				return createHistoricalGameListItem(game)
 			})
 
-			return render(<HistoricalGameList setup={{ url }} games={formattedGames} />)
+			return render(<HistoricalGameList setup={{ url: context.url }} games={formattedGames} />)
 		},
 
 		async game({ params, url }) {
diff --git a/app/home/controller.tsx b/app/home/controller.tsx
index f986d40..9f181bd 100644
--- a/app/home/controller.tsx
+++ b/app/home/controller.tsx
@@ -1,15 +1,16 @@
+import { Auth, type BadAuth, type GoodAuth } from "remix/auth-middleware"
 import type { Controller } from "remix/fetch-router"
-import { createRedirectResponse } from "remix/response/redirect"
+import { createRedirectResponse, redirect } from "remix/response/redirect"
 import { Session } from "remix/session"
 
 import { REVEAL_WORD, WORD_LENGTH } from "../constants.ts"
-import { requireAuth } from "../middleware/auth.ts"
+import { getReturnToQuery, requireAuth } from "../middleware/auth.ts"
 import { createGuess, getFullBoard, getTodaysGame, isGameComplete } from "../models/game.ts"
 import { routes } from "../routes.ts"
-import { getCurrentUser } from "../utils/context.ts"
+import type { AuthIdentity } from "../utils/auth-session.ts"
+import * as f from "../utils/local-form-schema.ts"
+import * as s from "../utils/local-schema.ts"
 import { render } from "../utils/render.ts"
-import * as f from "./local-form-schema.ts"
-import * as s from "./local-schema.ts"
 import { Page } from "./page.tsx"
 
 export function validLength(length: number): s.Check<Array<string>> {
@@ -37,12 +38,16 @@ export const guessWordSchema = f.object({
 })
 
 export const home = {
-	middleware: [requireAuth()],
+	middleware: [requireAuth],
 	actions: {
-		async action({ get }) {
-			let session = get(Session)
-			let formData = get(FormData)
-			let user = getCurrentUser()
+		async action(context) {
+			let auth = context.get(Auth) as GoodAuth<AuthIdentity> | BadAuth
+			if (auth.ok === false) {
+				return redirect(routes.auth.login.index.href(undefined, getReturnToQuery(context.url)))
+			}
+
+			let session = context.get(Session)
+			let formData = context.get(FormData)
 
 			let data = s.parseSafe(guessWordSchema, formData)
 
@@ -52,7 +57,7 @@ export const home = {
 			}
 
 			let guessedWord = data.value.letters.join("")
-			let error = await createGuess(user.id, guessedWord)
+			let error = await createGuess(auth.identity.user.id, guessedWord)
 
 			if (error) {
 				console.error({ error })
@@ -64,16 +69,20 @@ export const home = {
 			)
 		},
 
-		async index({ get, url }) {
-			let session = get(Session)
-			let user = getCurrentUser()
+		async index(context) {
+			let auth = context.get(Auth) as GoodAuth<AuthIdentity> | BadAuth
+			if (auth.ok === false) {
+				return redirect(routes.auth.login.index.href(undefined, getReturnToQuery(context.url)))
+			}
+
+			let session = context.get(Session)
 
-			let game = await getTodaysGame(user.id)
+			let game = await getTodaysGame(auth.identity.user.id)
 			let board = getFullBoard(game)
 
 			let showModal = isGameComplete(game.status)
 
-			let showWord = showModal || url.searchParams.has(REVEAL_WORD) ? board.word : undefined
+			let showWord = showModal || context.url.searchParams.has(REVEAL_WORD) ? board.word : undefined
 
 			let errorMessage = session.get("error") || undefined
 
@@ -83,7 +92,7 @@ export const home = {
 
 			return render(
 				<Page
-					setup={{ url }}
+					setup={{ url: context.url }}
 					showModal={showModal}
 					showWord={showWord}
 					board={board}
diff --git a/app/middleware/auth.ts b/app/middleware/auth.ts
index 6accc67..38fb427 100644
--- a/app/middleware/auth.ts
+++ b/app/middleware/auth.ts
@@ -1,58 +1,94 @@
-import type { Middleware } from "remix/fetch-router"
-import type { Route } from "remix/fetch-router/routes"
-import { createRedirectResponse as redirect } from "remix/response/redirect"
-import { Session } from "remix/session"
-
-import { getUserById } from "../models/user.ts"
-import { routes } from "../routes.ts"
-import { setCurrentUser } from "../utils/context.ts"
-
-/**
- * Middleware that optionally loads the current user if authenticated.
- * Does not redirect if not authenticated.
- * Attaches user (if any) to context.storage.
- */
-export function loadAuth(): Middleware {
-	return async ({ get }) => {
-		let session = get(Session)
-		let userId = session.get("userId")
-
-		// Only set current user if authenticated
-		if (typeof userId === "string") {
-			let user = await getUserById(userId)
-			if (user) {
-				setCurrentUser(user)
-			}
-		}
-	}
-}
+import bcrypt from "bcryptjs"
+import { createCredentialsAuthProvider } from "remix/auth"
+import {
+	auth,
+	createSessionAuthScheme,
+	requireAuth as requireAuthenticated,
+} from "remix/auth-middleware"
+import { redirect } from "remix/response/redirect"
+
+import { routes } from "../routes"
+import {
+	normalizeEmail,
+	parseAuthSession,
+	type AuthIdentity,
+	type AuthSession,
+} from "../utils/auth-session.ts"
+import { db } from "../utils/db"
+import * as f from "../utils/local-form-schema.ts"
+import * as s from "../utils/local-schema.ts"
+
+const loginSchema = f.object({
+	email: f.field(s.defaulted(s.string(), "")),
+	password: f.field(s.defaulted(s.string(), "")),
+})
 
-export type RequireAuthOptions = {
-	/**
-	 * Where to redirect if the user is not authenticated.
-	 * Defaults to the login page.
-	 */
-	redirectTo?: Route
+export function loadAuth() {
+	return auth({
+		schemes: [
+			createSessionAuthScheme<AuthIdentity, AuthSession>({
+				read(session) {
+					return parseAuthSession(session.get("auth"))
+				},
+				async verify(value) {
+					let user = await db.user.findFirst({ where: { id: value.userId }, omit: { password: true } })
+
+					if (user == null) {
+						return null
+					}
+
+					return { user }
+				},
+			}),
+		],
+	})
 }
 
-/**
- * Middleware that requires a user to be authenticated.
- * Redirects to login if not authenticated.
- * Attaches user to context.storage.
- */
-export function requireAuth(options?: RequireAuthOptions): Middleware {
-	let redirectRoute = options?.redirectTo ?? routes.auth.login.index
-
-	return async ({ get, url }) => {
-		let session = get(Session)
-		let userId = session.get("userId")
-		let user = typeof userId === "string" ? await getUserById(userId) : null
-
-		if (!user) {
-			// Capture the current URL to redirect back to after login
-			return redirect(redirectRoute.href(undefined, { returnTo: url.pathname + url.search }), 302)
+export const passwordProvider = createCredentialsAuthProvider({
+	parse(context) {
+		let result = s.parse(loginSchema, context.get(FormData))
+
+		return {
+			email: normalizeEmail(result.email),
+			password: result.password,
+		}
+	},
+	async verify(input) {
+		let user = await db.user.findFirst({ where: { email: input.email } })
+
+		if (user == null) {
+			return null
 		}
 
-		setCurrentUser(user)
+		if (typeof user.password === "string" && user.password !== "") {
+			let verified = await bcrypt.compare(input.password, user.password)
+			return verified ? user : null
+		}
+
+		return null
+	},
+})
+
+export const requireAuth = requireAuthenticated<AuthIdentity>({
+	onFailure() {
+		return redirect(routes.auth.login.index.href())
+	},
+})
+
+export function getPostAuthRedirect(url: URL, fallback = routes.home.index.href()): string {
+	return getSafeReturnTo(url.searchParams.get("returnTo")) ?? fallback
+}
+
+export function getReturnToQuery(url: URL): { returnTo?: string } {
+	let returnTo = getSafeReturnTo(url.searchParams.get("returnTo"))
+	return returnTo ? { returnTo } : {}
+}
+
+function getSafeReturnTo(returnTo: string | null): string | undefined {
+	if (returnTo == null || returnTo === "") {
+		return undefined
 	}
+
+	let isSafePath = returnTo.startsWith("/") && returnTo.startsWith("//") === false
+	return isSafePath ? returnTo : undefined
 }
diff --git a/app/models/user.ts b/app/models/user.ts
index e9efba5..25e24b3 100644
--- a/app/models/user.ts
+++ b/app/models/user.ts
@@ -5,24 +5,13 @@ import * as f from "remix/data-schema/form-data"
 
 import type { User } from "../generated/prisma/client"
 import { db } from "../utils/db"
+
 export const joinSchema = f.object({
 	email: f.field(s.string().pipe(email())),
 	username: f.field(s.string().pipe(minLength(1))),
 	password: f.field(s.string().pipe(minLength(10))),
 })
 
-export type JoinData = s.InferOutput<typeof joinSchema>
-export type LoginData = s.InferOutput<typeof loginSchema>
-
-export const loginSchema = f.object({
-	email: f.field(s.string().pipe(email())),
-	password: f.field(s.string().pipe(minLength(10))),
-})
-
-export async function getUserById(id: User["id"]) {
-	return db.user.findUnique({ where: { id } })
-}
-
 export async function getUserByEmail(email: User["email"]) {
 	return db.user.findUnique({ where: { email } })
 }
diff --git a/app/router.ts b/app/router.ts
index 95ceed6..5f153a1 100644
--- a/app/router.ts
+++ b/app/router.ts
@@ -12,6 +12,7 @@ import { auth } from "./auth/controller.tsx"
 import { health } from "./health/controller.tsx"
 import { history } from "./history/controller.tsx"
 import { home } from "./home/controller.tsx"
+import { loadAuth } from "./middleware/auth.ts"
 import { securityHeaders } from "./middleware/security.ts"
 import { routes } from "./routes.ts"
 import { sessionCookie, sessionStorage } from "./utils/session.ts"
@@ -39,9 +40,6 @@ middleware.push(session(sessionCookie, sessionStorage))
 middleware.push(asyncContext())
 middleware.push(
 	securityHeaders({
-		skip(context) {
-			return context.method !== "GET"
-		},
 		"Content-Security-Policy": {
 			"default-src": [NONE],
 			"script-src": [SELF],
@@ -57,6 +55,7 @@ middleware.push(
 		"Referrer-Policy": "strict-origin-when-cross-origin",
 	}),
 )
+middleware.push(loadAuth())
 
 export let router = createRouter({ middleware })
 
diff --git a/app/utils/auth-session.ts b/app/utils/auth-session.ts
new file mode 100644
index 0000000..5310008
--- /dev/null
+++ b/app/utils/auth-session.ts
@@ -0,0 +1,32 @@
+import type { User } from "../generated/prisma/client.ts"
+import * as s from "../utils/local-schema.ts"
+
+export function normalizeEmail(email: string): string {
+	return email.trim().toLowerCase()
+}
+
+export interface AuthSession {
+	userId: string
+}
+
+export interface AuthIdentity {
+	user: Omit<User, "password">
+}
+
+const authSessionSchema = s.object({
+	userId: s.string(),
+})
+
+export function parseAuthSession(value: unknown): AuthSession | null {
+	let result = s.parseSafe(authSessionSchema, value)
+
+	if (result.success === false) {
+		return null
+	}
+
+	let authSession = {
+		userId: result.value.userId,
+	} satisfies AuthSession
+
+	return authSession
+}
diff --git a/app/utils/context.ts b/app/utils/context.ts
deleted file mode 100644
index 9318117..0000000
--- a/app/utils/context.ts
+++ /dev/null
@@ -1,22 +0,0 @@
-import { getContext } from "remix/async-context-middleware"
-import { createContextKey } from "remix/fetch-router"
-
-import type { User } from "../generated/prisma/client"
-
-let USER_KEY = createContextKey<User>()
-
-export function getCurrentUser(): User {
-	return getContext().get(USER_KEY)
-}
-
-export function getCurrentUserSafely(): User | null {
-	try {
-		return getCurrentUser()
-	} catch {
-		return null
-	}
-}
-
-export function setCurrentUser(user: User): void {
-	getContext().set(USER_KEY, user)
-}
diff --git a/app/home/local-form-schema.ts b/app/utils/local-form-schema.ts
similarity index 100%
rename from app/home/local-form-schema.ts
rename to app/utils/local-form-schema.ts
diff --git a/app/home/local-schema.ts b/app/utils/local-schema.ts
similarity index 99%
rename from app/home/local-schema.ts
rename to app/utils/local-schema.ts
index 12619f1..00baa4e 100644
--- a/app/home/local-schema.ts
+++ b/app/utils/local-schema.ts
@@ -695,6 +695,7 @@ export function object<shape extends ObjectShape>(
 		let unknownKeys = options?.unknownKeys ?? "strip"
 
 		for (let key of Object.keys(shape)) {
+			// @ts-expect-error
 			let result = shape[key]["~run"](input[key], {
 				path: withPath(context.path, key),
 				options: context.options,
@@ -967,6 +968,7 @@ export function tuple<items extends Schema<any, any>[]>(
 		let max = Math.min(value.length, items.length)
 
 		while (index < max) {
+			// @ts-expect-error
 			let result = items[index]["~run"](value[index], {
 				path: withPath(context.path, index),
 				options: context.options,
@@ -1066,6 +1068,7 @@ export function variant<
 		}
 
 		let schema = variants[tag as keyof variants]
+		// @ts-expect-error
 		return schema["~run"](value, context)
 	})
 }