diff --git a/app/controllers/login_controller.rb b/app/controllers/login_controller.rb
index ec4f6f9..b6db000 100644
--- a/app/controllers/login_controller.rb
+++ b/app/controllers/login_controller.rb
@@ -47,33 +47,62 @@ class LoginController < ApplicationController
       end
 
       if user.has_2fa?
-        session[:twofa_u] = user.session_token
-        return redirect_to "/login/2fa"
-      end
-
-      session[:u] = user.session_token
-
-      if (rd = session[:redirect_to]).present?
-        session.delete(:redirect_to)
-        return redirect_to rd
-      elsif params[:referer].present?
-        begin
-          ru = URI.parse(params[:referer])
-          if ru.host == Rails.application.domain
-            return redirect_to ru.to_s
+        if params[:totp].present?
+          if !user.authenticate_totp(params[:totp])
+            raise "invalid TOTP code"
+          end
+        else
+          return respond_to do |format|
+            format.html {
+              session[:twofa_u] = user.session_token
+              redirect_to "/login/2fa"
+            }
+            format.json {
+              render :json => { :status => 0,
+                :error => "must supply totp parameter" }
+            }
           end
-        rescue => e
-          Rails.logger.error "error parsing referer: #{e}"
         end
       end
 
-      return redirect_to "/"
+      return respond_to do |format|
+        format.html {
+          session[:u] = user.session_token
+
+          if (rd = session[:redirect_to]).present?
+            session.delete(:redirect_to)
+            return redirect_to rd
+          elsif params[:referer].present?
+            begin
+              ru = URI.parse(params[:referer])
+              if ru.host == Rails.application.domain
+                return redirect_to ru.to_s
+              end
+            rescue => e
+              Rails.logger.error "error parsing referer: #{e}"
+            end
+          end
+
+          redirect_to "/"
+        }
+        format.json {
+          render :json => { :status => 1, :username => user.username }
+        }
+      end
     rescue
     end
 
-    flash.now[:error] = I18n.t 'controllers.login_controller.flashlogininvalid'
-    @referer = params[:referer]
-    index
+    respond_to do |format|
+      format.html {
+        flash.now[:error] = I18n.t 'controllers.login_controller.flashlogininvalid'
+        @referer = params[:referer]
+        index
+      }
+      format.json {
+        render :json => { :status => 0,
+          :error => "invalid 'email' and/or 'password' parameter" }
+      }
+    end
   end
 
   def forgot_password
diff --git a/config/routes.rb b/config/routes.rb
index 972e4d4..c29a765 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -30,7 +30,7 @@ Lobsters::Application.routes.draw do
     get "/threads/:user" => "comments#threads"
 
     get "/login" => "login#index"
-    post "/login" => "login#login"
+    post "/login" => "login#login", :format => /html|json/
     post "/logout" => "login#logout"
     get "/login/2fa" => "login#twofa"
     post "/login/2fa_verify" => "login#twofa_verify", :as => "twofa_login"