diff --git a/src/app/api/login/route.ts b/src/app/api/login/route.ts
index 3afca94..38341b5 100644
--- a/src/app/api/login/route.ts
+++ b/src/app/api/login/route.ts
@@ -23,8 +23,6 @@ export async function POST(req: Request) {
 		});
 
 		if (user && bcryptjs.compareSync(password, user.passwordHash)) {
-			// todo remove password from returned user
-
 			// get user and relations
 			user = await prisma.user.findUnique({
 				where: { id: user.id },
@@ -42,6 +40,7 @@ export async function POST(req: Request) {
 					},
 				},
 			});
+			const { passwordHash, ...userSansHash } = user!;
 
 			const secret = new TextEncoder().encode(env.JWT_SECRET_KEY);
 			const token = await new SignJWT({ userId: user!.id })
@@ -49,7 +48,7 @@ export async function POST(req: Request) {
 				.setExpirationTime("2w")
 				.sign(secret);
 
-			const response = NextResponse.json({ message: "Login successful!", user, token }, { status: 200 });
+			const response = NextResponse.json({ message: "Login successful!", user: userSansHash, token }, { status: 200 });
 			response.cookies.set("jwt", token, {
 				httpOnly: true,
 				secure: process.env.NODE_ENV === "production",