diff --git a/undercover/__init__.py b/undercover/__init__.py
index 9e24620..8f93f33 100644
--- a/undercover/__init__.py
+++ b/undercover/__init__.py
@@ -13,14 +13,14 @@ def create_app(test_config=None):
 
     app = Flask(__name__, instance_relative_config=True)
     app.config.from_mapping(
-        SECRET_KEY='dev',
-        DATABASE=os.path.join(app.instance_path, 'undercover.sqlite'),
+        SECRET_KEY=os.environ['UNDERCOVER_SECRET_KEY'],
+        # DATABASE=os.path.join(app.instance_path, 'undercover.sqlite'),
     )
 
-    if test_config is None:
-        app.config.from_pyfile('config.py', silent=True)
-    else:
-        app.config.from_mapping(test_config)
+    # if test_config is None:
+    #     app.config.from_pyfile('config.py', silent=True)
+    # else:
+    #     app.config.from_mapping(test_config)
 
     os.makedirs(app.instance_path, exist_ok=True)
 
diff --git a/undercover/routes.py b/undercover/routes.py
index d36ce79..7b40925 100644
--- a/undercover/routes.py
+++ b/undercover/routes.py
@@ -5,7 +5,7 @@ import subprocess
 import threading
 import urllib.parse
 
-from flask import (Blueprint, render_template, request, make_response)
+from flask import (Blueprint, render_template, request, make_response, session, redirect)
 from wtforms import Form, StringField, TextAreaField, validators
 
 import undercover.db as db
@@ -63,6 +63,15 @@ class CLForm(Form):
     )
 
 
+@writing_blueprint.route('/login', methods=['POST'])
+def login_post():
+    username = request.form['username']
+    if db.login(username, request.form['password']):
+        session['username'] = username
+        return redirect('/')
+    return make_response("", 401)
+
+
 @writing_blueprint.route('/', methods=['GET'])
 def index_get():
     global index_cache