diff --git a/app.py b/app.py
index 9d6bf0a..b9524fa 100644
--- a/app.py
+++ b/app.py
@@ -17,6 +17,7 @@ from application import db, app, login_manager
 from application.admin.routes import admin_bp
 from application.user.routes import user_bp
 from application.add_meal.routes import bp as add_meal_bp
+from application.auth.routes import bp as auth_bp
 from typing import Optional
 
 # Config
@@ -34,6 +35,7 @@ def load_user(user_id: int):
 app.register_blueprint(admin_bp)
 app.register_blueprint(user_bp)
 app.register_blueprint(add_meal_bp)
+app.register_blueprint(auth_bp)
 
 
 # Routes
diff --git a/application/auth/routes.py b/application/auth/routes.py
new file mode 100644
index 0000000..20aa991
--- /dev/null
+++ b/application/auth/routes.py
@@ -0,0 +1,13 @@
+from flask import (
+    Blueprint,
+)
+from application.utils import login_required
+
+bp = Blueprint(
+    "user",
+    __name__,
+    template_folder="templates",
+)
+
+
+bp.before_request(login_required)
diff --git a/application/user/routes.py b/application/user/routes.py
index 42b64dd..cb7bd20 100644
--- a/application/user/routes.py
+++ b/application/user/routes.py
@@ -12,6 +12,7 @@ from application import db
 from forms import FoodItemForm
 from models import FoodItem, FoodLog
 from datetime import datetime, timezone, timedelta
+from application.utils import login_required
 
 user_bp = Blueprint(
     "user",
@@ -20,10 +21,7 @@ user_bp = Blueprint(
 )
 
 
-@user_bp.before_request
-def login_required():
-    if not current_user.is_authenticated:
-        return redirect(url_for("login"))
+user_bp.before_request(login_required)
 
 
 @user_bp.route("/dashboard", methods=["GET"])
diff --git a/application/utils.py b/application/utils.py
new file mode 100644
index 0000000..aecb0a9
--- /dev/null
+++ b/application/utils.py
@@ -0,0 +1,11 @@
+from flask_login import current_user
+from flask import redirect, url_for, flash
+
+
+def login_required():
+    if not current_user.is_authenticated:
+        return redirect(url_for("auth.login"))
+    if current_user.must_change_password:
+        flash("You have to change your password")
+        return redirect(url_for("auth.change_password"))
+    return