diff --git a/lib/login.php b/lib/login.php
index 1a92bdc..326deae 100644
--- a/lib/login.php
+++ b/lib/login.php
@@ -213,7 +213,7 @@ function doLoginUser($username) {
     }
 
     $resp = json_decode($response->getBody(), TRUE);
-    var_dump($resp);
+    
     if ($resp['status'] == "OK") {
         $userinfo = $resp['data'];
         $_SESSION['username'] = $username;
diff --git a/mobile/index.php b/mobile/index.php
index 742ae4b..379d740 100644
--- a/mobile/index.php
+++ b/mobile/index.php
@@ -38,6 +38,31 @@ function mobile_enabled() {
     }
 }
 
+function mobile_valid($username, $code) {
+    $client = new GuzzleHttp\Client();
+
+    $response = $client
+            ->request('POST', PORTAL_API, [
+        'form_params' => [
+            'key' => PORTAL_KEY,
+            "code" => $code,
+            "username" => $username,
+            'action' => "mobilevalid"
+        ]
+    ]);
+
+    if ($response->getStatusCode() > 299) {
+        return false;
+    }
+
+    $resp = json_decode($response->getBody(), TRUE);
+    if ($resp['status'] == "OK" && $resp['valid'] === TRUE) {
+        return true;
+    } else {
+        return false;
+    }
+}
+
 if (mobile_enabled() !== TRUE) {
     exit(json_encode(["status" => "ERROR", "msg" => lang("mobile login disabled", false)]));
 }
@@ -49,11 +74,9 @@ if (is_empty($VARS['username']) || is_empty($VARS['key'])) {
 }
 
 // Make sure the username and key are actually legit
-$user_key_valid = $database->has('mobile_codes', ['[>]accounts' => ['uid' => 'uid']], ["AND" => ['mobile_codes.code' => $VARS['key'], 'accounts.username' => $VARS['username']]]);
-if ($user_key_valid !== TRUE) {
+if (!mobile_valid($VARS['username'], $VARS['key'])) {
     engageRateLimit();
     http_response_code(401);
-    insertAuthLog(21, null, "Username: " . $VARS['username'] . ", Key: " . $VARS['key']);
     die(json_encode(["status" => "ERROR", "msg" => "Invalid username and/or access key."]));
 }
 
@@ -64,8 +87,12 @@ switch ($VARS['action']) {
         if (user_exists($VARS['username'])) {
             if (get_account_status($VARS['username']) == "NORMAL") {
                 if (authenticate_user($VARS['username'], $VARS['password'], $autherror)) {
-                    doLoginUser($VARS['username'], $VARS['password']);
-                    exit(json_encode(["status" => "OK"]));
+                    if (account_has_permission($VARS['username'], "ADMIN")) {
+                        doLoginUser($VARS['username'], $VARS['password']);
+                        exit(json_encode(["status" => "OK"]));
+                    } else {
+                        exit(json_encode(["status" => "ERROR", "msg" => lang("no admin permission", false)]));
+                    }
                 }
             }
         }