diff --git a/backend/app.js b/backend/app.js
index f409f3c..9d34137 100644
--- a/backend/app.js
+++ b/backend/app.js
@@ -15,7 +15,7 @@ app.use(express.json());
 app.use(express.urlencoded({ extended: true }));
 
 // database
-const db = require("./models/index");
+const db = require("./models");
 const Role = db.Role;
 const User = db.User;
 const PitchType = db.pitchType;
diff --git a/backend/controllers/user.controller.js b/backend/controllers/user.controller.js
index 1b3d8fa..e81b497 100644
--- a/backend/controllers/user.controller.js
+++ b/backend/controllers/user.controller.js
@@ -1,5 +1,5 @@
 const db = require("../models/index");
-const User = db.user;
+const User = db.User;
 const Op = db.Sequelize.Op;
 
 exports.findAll = (req, res) => {
diff --git a/backend/models/user.model.js b/backend/models/user.model.js
index f921657..13dee2a 100644
--- a/backend/models/user.model.js
+++ b/backend/models/user.model.js
@@ -52,6 +52,15 @@ module.exports = (sequelize, DataTypes) => {
         user.password = await bcrypt.hash(user.password, salt);
       }
     }
+  }, {
+    defaultScope: {
+      attributes: { exclude: ['password'] },
+    },
+    scopes: {
+      withSecretColumns: {
+        attributes: { include: ['password'] },
+      },
+    },
   });
 
   User.prototype.validPassword = function (password) {
@@ -59,4 +68,4 @@ module.exports = (sequelize, DataTypes) => {
   };
 
   return User;
-};
\ No newline at end of file
+};
diff --git a/backend/test/user.test.js b/backend/test/user.test.js
index c3a3514..37f314c 100644
--- a/backend/test/user.test.js
+++ b/backend/test/user.test.js
@@ -13,38 +13,35 @@ const { signupUser } = require("./data/user.test.data")
 const res = require("express/lib/response");
 
 describe("Test user authentication", () => {
-    test("should signup a user", done => {
-        request(app)
+    test("should signup a user", async () => {
+        const response = await request(app)
             .post("/api/auth/signup")
-            .send(signupUser)
-            .then( res => {
-                expect(res.header['content-type']).toBe('application/json; charset=utf-8');
-                expect(res.statusCode).toBe(200);
-                done();
-            });
+            .send(signupUser);
+
+        expect(response.header['content-type']).toBe('application/json; charset=utf-8');
+        expect(response.statusCode).toBe(200);
     });
 
-    test("Test user login", done => {
+    test("Test user login", async () => {
         let user = {};
-        request(app)
+        let response = await request(app)
             .post("/api/auth/signin")
             .send({
                 email: 'ryan.nolan@bullpen.com',
                 password: 'nolan'
-            })
-            .then( res => {
-                expect(res.statusCode).toBe(200);
-                expect(res.body.accessToken).not.toBeNull();
-                console.log(res.body);
-                user = res.body;
-                done();
-            // }).then(() => {
-            //     request(app)
-            //         .get(`/api/users/${user.id}`)
-            //         .then( res2 => {
-            //             expect(res2.statusCode).toBe(200);
-            //         })
-            //
             });
+        expect(response.statusCode).toBe(200);
+        expect(response.body.accessToken).not.toBeNull();
+        user = response.body;
+
+        response = await request(app)
+            .get(`/api/users/${user.id}`);
+        expect(response.statusCode).toBe(403);
+
+        response = await request(app)
+            .get(`/api/users/${user.id}`)
+            .set('x-access-token', user.accessToken);
+        console.log(response.body);
+        expect(response.statusCode).toBe(200);
     });
 });