Refactor user/password authentication

• Move user validation from controller to service
• Provide appropriate http status for response