diff --git a/lib/dyndnsd.rb b/lib/dyndnsd.rb
index 477b85b..efc5cb4 100644
--- a/lib/dyndnsd.rb
+++ b/lib/dyndnsd.rb
@@ -45,6 +45,15 @@ module Dyndnsd
       (@db.save; @updater.update(@db)) if @db.changed?
     end
 
+    def is_authorized?(username, password)
+      allow = ((@users.has_key? username) and (@users[username]['password'] == password))
+      if not allow
+        Dyndnsd.logger.warn "Login failed for #{username}"
+        Metriks.meter('requests.auth_failed').mark
+      end
+      allow
+    end
+
     def call(env)
       return [422, {'X-DynDNS-Response' => 'method_forbidden'}, []] if env["REQUEST_METHOD"] != "GET"
       return [422, {'X-DynDNS-Response' => 'not_found'}, []] if env["PATH_INFO"] != "/nic/update"
@@ -219,17 +228,10 @@ module Dyndnsd
       # configure daemon
       db = Database.new(config['db'])
       updater = Updater::CommandWithBindZone.new(config['domain'], config['updater']['params']) if config['updater']['name'] == 'command_with_bind_zone'
+      daemon = Daemon.new(config, db, updater)
 
       # configure rack
-      app = Daemon.new(config, db, updater)
-      app = Rack::Auth::Basic.new(app, "DynDNS") do |user,pass|
-        allow = ((config['users'].has_key? user) and (config['users'][user]['password'] == pass))
-        if not allow
-          Dyndnsd.logger.warn "Login failed for #{user}"
-          Metriks.meter('requests.auth_failed').mark
-        end
-        allow
-      end
+      app = Rack::Auth::Basic.new(daemon, "DynDNS", &daemon.method(:is_authorized?))
 
       if config['responder'] == 'RestStyle'
         app = Responder::RestStyle.new(app)
diff --git a/spec/daemon_spec.rb b/spec/daemon_spec.rb
index e72a53b..a24f24f 100644
--- a/spec/daemon_spec.rb
+++ b/spec/daemon_spec.rb
@@ -18,11 +18,9 @@ describe Dyndnsd::Daemon do
     }
     db = Dyndnsd::DummyDatabase.new({})
     updater = Dyndnsd::Updater::Dummy.new
-    app = Dyndnsd::Daemon.new(config, db, updater)
+    daemon = Dyndnsd::Daemon.new(config, db, updater)
 
-    app = Rack::Auth::Basic.new(app, "DynDNS") do |user,pass|
-      (config['users'].has_key? user) and (config['users'][user]['password'] == pass)
-    end
+    app = Rack::Auth::Basic.new(daemon, "DynDNS", &daemon.method(:is_authorized?))
 
     app = Dyndnsd::Responder::DynDNSStyle.new(app)
   end
@@ -33,6 +31,13 @@ describe Dyndnsd::Daemon do
     expect(last_response.body).to eq('badauth')
   end
 
+  it 'requires configured correct credentials' do
+    authorize 'test', 'wrongsecret'
+    get '/'
+    expect(last_response.status).to eq(401)
+    expect(last_response.body).to eq('badauth')
+  end
+
   it 'only supports GET requests' do
     authorize 'test', 'secret'
     post '/nic/update'
@@ -94,6 +99,7 @@ describe Dyndnsd::Daemon do
 
   it 'rejects request if user does not own one hostname' do
     authorize 'test', 'secret'
+
     get '/nic/update?hostname=notmyhost.example.org'
     expect(last_response).to be_ok
     expect(last_response.body).to eq('nohost')