diff --git a/lib/api_defender.rb b/lib/api_defender.rb
index 9fc7cacc0..4986f166c 100644
--- a/lib/api_defender.rb
+++ b/lib/api_defender.rb
@@ -57,9 +57,7 @@ class ApiDefender < Rack::Throttle::Hourly
   def authorized?(request)
     return @authorized if @authorized
     auth = Rack::Auth::Basic::Request.new(request.env)
-    if auth.provided? and auth.basic?
-      @user = User.auth_by_token_or_login_pass(*auth.credentials)
-    end
+    @user = User.auth_by_token_or_login_pass(*auth.credentials) if auth.provided? and auth.basic?
     @authorized = true # cache
   end
 
diff --git a/spec/integration/api_defender_spec.rb b/spec/integration/api_defender_spec.rb
index f603e10f4..78ab43097 100644
--- a/spec/integration/api_defender_spec.rb
+++ b/spec/integration/api_defender_spec.rb
@@ -1,17 +1,19 @@
 require 'spec_helper'
 
 describe ApiDefender do
-  def get_basic_auth user = @user, by_token = false
+  def get_basic_auth user = @user, by_token = false, by_email = false
     u,pass = if by_token
                [user.authentication_token, '']
+             elsif by_email
+               [user.email, @password]
              else
-               [user.uname, '123456']
+               [user.uname, @password]
              end
     ActionController::HttpAuthentication::Basic.encode_credentials u, pass
   end
 
-  def get_request auth_user = nil, by_token = false
-    auth = auth_user ? {'HTTP_AUTHORIZATION' => get_basic_auth(auth_user, by_token)} : {}
+  def get_request auth_user = nil, by_token = false, by_email = false
+    auth = auth_user ? {'HTTP_AUTHORIZATION' => get_basic_auth(auth_user, by_token, by_email)} : {}
     get "/api/v1/users/#{@user.id}.json", {}, auth
   end
 
@@ -61,6 +63,24 @@ describe ApiDefender do
       response.headers['X-RateLimit-Remaining'].should == (@rate_limit-1).to_s
     end
 
+    it "should allow auth by uname and password" do
+      (@rate_limit+1).times {get_request}
+      get_request @user
+      response.headers['X-RateLimit-Remaining'].should == (@rate_limit-1).to_s
+    end
+
+    it "should allow auth by email and password" do
+      (@rate_limit+1).times {get_request}
+      get_request @user, false, true
+      response.headers['X-RateLimit-Remaining'].should == (@rate_limit-1).to_s
+    end
+
+    it "should allow auth by token" do
+      (@rate_limit+1).times {get_request}
+      get_request @user, true
+      response.headers['X-RateLimit-Remaining'].should == (@rate_limit-1).to_s
+    end
+
     it "should return the correct limit usage for auth user after anonymous access" do
       get_request
       get_request @user