diff --git a/components/admin/Settings.vue b/components/admin/Settings.vue
index d32b5d54..29946cf9 100644
--- a/components/admin/Settings.vue
+++ b/components/admin/Settings.vue
@@ -2,6 +2,7 @@
   div
     el-form(inline label-width="400px")
       //- select timezone
+      client-only
       el-form-item(:label="$t('admin.select_instance_timezone')")
         el-select(v-model='instance_timezone' filterable)
           el-option(v-for='timezone in timezones' :key='timezone.value' :value='timezone.value')
diff --git a/nuxt.config.js b/nuxt.config.js
index 84a65c02..7456a37c 100644
--- a/nuxt.config.js
+++ b/nuxt.config.js
@@ -63,7 +63,7 @@ module.exports = {
         endpoints: {
           login: { url: '/auth/login', method: 'post', propertyName: 'token' },
           logout: false,
-          user: { url: '/auth/user', method: 'get', propertyName: false }
+          user: false
         },
         tokenRequired: true,
         tokenType: 'Bearer'
diff --git a/server/api/auth.js b/server/api/auth.js
index 10a669b8..b789c751 100644
--- a/server/api/auth.js
+++ b/server/api/auth.js
@@ -2,16 +2,10 @@ const { Op } = require('sequelize')
 const { user: User } = require('./models')
 
 const Auth = {
-  async fillUser (req, res, next) {
-    if (!req.user) { return next() }
-    req.user = await User.findOne({
-      where: { id: { [Op.eq]: req.user.id }, is_active: true }
-    }).catch(e => {
-      res.sendStatus(404)
-      return next(false)
-    })
-    next()
-  },
+
+  /** isAuth middleware
+   * req.user is filled in server/helper.js#initMiddleware
+  */
   async isAuth (req, res, next) {
     if (!req.user) {
       return res
@@ -29,6 +23,8 @@ const Auth = {
     }
     next()
   },
+
+  /** isAdmin middleware */
   isAdmin (req, res, next) {
     if (!req.user) {
       return res
diff --git a/server/api/index.js b/server/api/index.js
index 9e28c1c4..aa01a93b 100644
--- a/server/api/index.js
+++ b/server/api/index.js
@@ -5,7 +5,7 @@ const bodyParser = require('body-parser')
 const expressJwt = require('express-jwt')
 const config = require('config')
 
-const { fillUser, isAuth, isAdmin } = require('./auth')
+const { isAuth, isAdmin } = require('./auth')
 const eventController = require('./controller/event')
 const exportController = require('./controller/export')
 const userController = require('./controller/user')
@@ -21,16 +21,9 @@ api.use(cookieParser())
 api.use(bodyParser.urlencoded({ extended: false }))
 api.use(bodyParser.json())
 
-// const jwt = expressJwt({
-//   secret: config.secret,
-//   credentialsRequired: false
-// })
-
-// api.use(jwt)
-
 // AUTH
 api.post('/auth/login', userController.login)
-api.get('/auth/user', fillUser, userController.current)
+api.get('/auth/user', userController.current)
 
 api.post('/user/recover', userController.forgotPassword)
 api.post('/user/check_recover_code', userController.checkRecoverCode)
@@ -38,28 +31,24 @@ api.post('/user/recover_password', userController.updatePasswordWithRecoverCode)
 
 // register and add users
 api.post('/user/register', userController.register)
-api.post('/user', isAuth, isAdmin, userController.create)
+api.post('/user', isAdmin, userController.create)
 
 // update user
 api.put('/user', isAuth, userController.update)
 
 // delete user
-api.delete('/user/:id', isAuth, isAdmin, userController.remove)
+api.delete('/user/:id', isAdmin, userController.remove)
 
-//
 // api.delete('/user', userController.remove)
 
 // get all users
-api.get('/users', isAuth, isAdmin, userController.getAll)
-
-// update a tag (modify color)
-api.put('/tag', isAuth, isAdmin, eventController.updateTag)
+api.get('/users', isAdmin, userController.getAll)
 
 // update a place (modify address..)
-api.put('/place', isAuth, isAdmin, eventController.updatePlace)
+api.put('/place', isAdmin, eventController.updatePlace)
 
 // add event
-api.post('/user/event', fillUser, upload.single('image'), userController.addEvent)
+api.post('/user/event', upload.single('image'), userController.addEvent)
 
 // update event
 api.put('/user/event', isAuth, upload.single('image'), userController.updateEvent)
@@ -71,14 +60,14 @@ api.delete('/user/event/:id', isAuth, userController.delEvent)
 api.get('/event/meta', eventController.getMeta)
 
 // get unconfirmed events
-api.get('/event/unconfirmed', isAuth, isAdmin, eventController.getUnconfirmed)
+api.get('/event/unconfirmed', isAdmin, eventController.getUnconfirmed)
 
 // add event notification
 api.post('/event/notification', eventController.addNotification)
 api.delete('/event/notification/:code', eventController.delNotification)
 
 api.get('/settings', settingsController.getAllRequest)
-api.post('/settings', fillUser, isAdmin, settingsController.setRequest)
+api.post('/settings', isAdmin, settingsController.setRequest)
 
 api.get('/settings/user_locale', settingsController.getUserLocale)
 
@@ -87,7 +76,7 @@ api.get('/event/confirm/:event_id', isAuth, eventController.confirm)
 api.get('/event/unconfirm/:event_id', isAuth, eventController.unconfirm)
 
 // get event
-api.get('/event/:event_id.:format?', fillUser, eventController.get)
+api.get('/event/:event_id.:format?', eventController.get)
 
 // export events (rss/ics)
 api.get('/export/:type', exportController.export)
diff --git a/server/helpers.js b/server/helpers.js
index 1c3c9721..fa79995d 100644
--- a/server/helpers.js
+++ b/server/helpers.js
@@ -1,10 +1,11 @@
 const settingsController = require('./api/controller/settings')
+const { user: User } = require('./api/models')
+const { Op } = require('sequelize')
 const acceptLanguage = require('accept-language')
 const expressJwt = require('express-jwt')
-const debug = require('debug')
 const moment = require('moment-timezone')
 const config = require('config')
-const package = require('../package.json')
+const pkg = require('../package.json')
 
 const jwt = expressJwt({
   secret: config.secret,
@@ -22,17 +23,14 @@ const jwt = expressJwt({
 
 module.exports = {
   initMiddleware (req, res, next) {
-
     // initialize settings
     req.settings = settingsController.settings
     req.secretSettings = settingsController.secretSettings
 
-    // const package = require('../package.json')
-
     req.settings.baseurl = config.baseurl
     req.settings.title = config.title
     req.settings.description = config.description
-    req.settings.version = package.version
+    req.settings.version = pkg.version
 
     // set locale and user locale
     const acceptedLanguages = req.headers['accept-language']
@@ -43,9 +41,11 @@ module.exports = {
     moment.locale(req.settings.locale)
 
     // auth
-    jwt(req, res, () => {
+    jwt(req, res, async () => {
+      if (!req.user) { return next() }
+      req.user = await User.findOne({
+        where: { id: { [Op.eq]: req.user.id }, is_active: true } })
       next()
     })
-
   }
-}
\ No newline at end of file
+}
diff --git a/server/routes.js b/server/routes.js
index eefa1387..38add6ea 100644
--- a/server/routes.js
+++ b/server/routes.js
@@ -3,6 +3,7 @@ const config = require('config')
 const express = require('express')
 const cors = require('cors')
 const api = require('./api')
+const cookieParser = require('cookie-parser')
 const federation = require('./federation')
 const webfinger = require('./federation/webfinger')
 const { spamFilter } = require('./federation/helpers')
@@ -24,6 +25,7 @@ router.use('/favicon.ico', express.static(path.resolve(config.favicon || './asse
 router.use('/media/', express.static(config.upload_path))
 
 // get instance settings
+router.use(cookieParser())
 router.use(helpers.initMiddleware)
 
 // rss/ics/atom feed
diff --git a/store/index.js b/store/index.js
index f4ba22c9..c1ad7210 100644
--- a/store/index.js
+++ b/store/index.js
@@ -149,6 +149,9 @@ export const actions = {
   // this method is called server side only for each request
   // we use it to get configuration from db, setting locale, etc...
   nuxtServerInit ({ commit }, { app, store, req }) {
+    if (req.user) {
+      this.$auth.setUser(req.user)
+    }
     const settings = req.settings
     commit('setSettings', settings)
     // apply settings