diff --git a/app.js b/app.js
index 147081f..deb5d6d 100644
--- a/app.js
+++ b/app.js
@@ -53,6 +53,7 @@ app.use((error, req, res, next) => {
       res.status(400);
       res.json({ success: false, error });
       break;
+    case 'AuthenticationError':
     case 'UnauthorizedError':
       res.status(401);
       res.json({ success: false, error });
diff --git a/models/TodoList.js b/models/TodoList.js
index 428a6d7..7c5abcd 100644
--- a/models/TodoList.js
+++ b/models/TodoList.js
@@ -22,12 +22,20 @@ TodoListSchema.pre('save', async function () {
 TodoListSchema.pre('remove', async function () {
   const user = await this.model('User').findById(this.user);
   user.lists.splice(user.lists.indexOf(this._id), 1);
-  await user.save();
 
+  // removing todos in parallel can cause VersionError
+  // so we remove todos from user
   const todos = await this.model('Todo')
     .find({ list: this._id })
     .exec();
-  await Promise.all(todos.map(todo => todo.remove()));
+  const ids = todos.map(todo => todo._id);
+  user.todos = user.todos.filter(todo => ids.includes(todo._id));
+  await user.save();
+  // and remove them from db
+  await this.model('Todo')
+    .find({ list: this._id })
+    .remove()
+    .exec();
 });
 
 TodoListSchema.methods.toJson = function () {
diff --git a/models/User.js b/models/User.js
index 7b57c8e..c8f9ccd 100644
--- a/models/User.js
+++ b/models/User.js
@@ -22,10 +22,14 @@ UserSchema.plugin(passportLocalMongoose);
 UserSchema.plugin(uniqueValidator);
 
 UserSchema.pre('remove', async function () {
-  const lists = await this.model('TodoList')
+  await this.model('TodoList')
     .find({ user: this._id })
+    .remove()
+    .exec();
+  await this.model('Todo')
+    .find({ user: this._id })
+    .remove()
     .exec();
-  await Promise.all(lists.map(list => list.remove()));
 });
 
 UserSchema.methods.generateJwt = function () {
diff --git a/routes/users.js b/routes/users.js
index 6ebe8e9..87f9d76 100644
--- a/routes/users.js
+++ b/routes/users.js
@@ -69,7 +69,7 @@ router.delete(
 
 router.post(
   '/login',
-  passport.authenticate('local', { session: false }),
+  passport.authenticate('local', { session: false, failWithError: true }),
   asyncHelper(async (req, res) => {
     res.json({ success: true, data: req.user.toAuthJson() });
   }),
diff --git a/tests/integration/users.test.js b/tests/integration/users.test.js
index 6196712..2295afa 100644
--- a/tests/integration/users.test.js
+++ b/tests/integration/users.test.js
@@ -117,7 +117,7 @@ describe('test users', () => {
       })
       .set('Content-Type', 'application/json')
       .set('Accept', 'application/json')
-      .expect(400);
+      .expect(401);
   });
   test('should not login user with wrong password', async () => {
     await request(server)