diff --git a/models/users.js b/models/users.js
index ec75b1d..86455f6 100644
--- a/models/users.js
+++ b/models/users.js
@@ -12,33 +12,40 @@ const userSchema = mongoose.Schema({
   },
   firstname: {
     type: String,
-    required: true,
     maxlength: 24,
   },
   lastname: {
     type: String,
-    required: true,
     maxlength: 24,
   },
+  login: {
+    type: String,
+    maxlength: 64
+  },
   billing: {
     NIP: {
       type: String,
-      required: true,
       maxlength: 20,
     },
     adress: {
       type: String,
-      required: true,
       maxlength: 128,
     },
     companyName: {
       type: String,
-      required: true,
       maxlength: 64,
     },
   },
+  isRestaurant: Boolean,
   restaurants: [mongoose.Types.ObjectId],
   trialUsed: Boolean,
+  preferences: {
+    excludeAllergens: [String],
+    vegetarian: Boolean,
+    vegan: Boolean,
+  },
+  favoriteRestaurants: [mongoose.Types.ObjectId],
+  photos: [mongoose.Types.ObjectId]
 });
 
 module.exports = mongoose.model("User", userSchema);
diff --git a/routes/routeSearch.js b/routes/routeSearch.js
index 7279ae3..abc3408 100644
--- a/routes/routeSearch.js
+++ b/routes/routeSearch.js
@@ -2,6 +2,7 @@ const express = require("express");
 const Restaurant = require("../models/restaurant.js");
 const sanitizer = require("string-sanitizer");
 const { handleError } = require("../services/services.js");
+const { validateSearch } = require("../services/validations.js");
 
 var router = express.Router();
 
@@ -11,6 +12,7 @@ router.get("/", async (req, res) => {
   try {
     if (req.query.string.length > 0) {
       const query = sanitizer.sanitize.keepUnicode(decodeURI(req.query.string));
+      validateSearch(query);
       const regex = new RegExp(query, "i");
 
       Restaurant.find(
@@ -43,12 +45,6 @@ router.get("/", async (req, res) => {
   }
 });
 
-// TEST
-
-router.get("/test/", (req, res) => {
-  res.send(req.query.string);
-});
-
 // SEARCH RESTAURANTS BY LOCATION
 
 router.get("/location", async (req, res) => {
@@ -72,12 +68,17 @@ router.get("/location", async (req, res) => {
 router.get("/autocomplete/", (req, res) => {
   if (req.query.string.length > 0) {
     var query = sanitizer.sanitize.keepUnicode(decodeURI(req.query.string));
+    validateSearch(query);
     const regex = new RegExp(query, "i");
     let cities = new Set();
     let restaurants = new Set();
 
     Restaurant.find(
-      { $or: [{ city: { $regex: regex } }, { name: { $regex: regex } }] },
+      { $and: [
+        { $or: [{ city: { $regex: regex } }, { name: { $regex: regex } }] },
+        { $or: [{ hidden: false }, { hidden: { $exists: false } }] },
+        { subscriptionActive: true },
+      ], },
       "name city",
       (err, doc) => {
         if (err) {
diff --git a/routes/routeUser.js b/routes/routeUser.js
index f555c86..9f3db7b 100644
--- a/routes/routeUser.js
+++ b/routes/routeUser.js
@@ -20,6 +20,7 @@ const {
 } = require("../services/services.js");
 const { resetPassword } = require("../services/mailServices.js");
 const cookie = require("cookie");
+const { validateLogin, validateRegister, validatePassword } = require("../services/validations.js");
 
 var router = express.Router();
 
@@ -29,6 +30,7 @@ router.post("/login", async (req, res) => {
     if (!req.body.password || !req.body.email) {
       throw newError("Niepełne dane.", 204);
     }
+    validateLogin(req.body);
     const user = await fetchUser(req.body.email);
     await checkPassword(req.body.password, user.password);
     const safeUser = await prepareSafeUser(user);
@@ -73,6 +75,7 @@ router.post("/refresh", async (req, res) => {
 // REGISTER
 router.post("/register", async (req, res) => {
   try {
+    validateRegister(req.body);
     await checkEmailTaken(req.body.email);
     const user = await createUser(req);
     await user.save().catch((e) => {
@@ -90,6 +93,7 @@ router.post("/changepass", async (req, res) => {
     if (!req.body.password || !req.body.email || !req.body.newPass) {
       throw newError("Niepełne dane.", 204);
     }
+    validateLogin(req.body);
     const token = req.headers["x-auth-token"];
     validateUserToken(token);
     const user = await fetchUser(req.body.email);
@@ -117,8 +121,9 @@ router.post("/forgotpassword", async (req, res) => {
 // RESET PASS
 router.post("/resetpass", async (req, res) => {
   try {
-    validateUserToken(req.body.token);
-    const user = await fetchUser(req.body.email);
+    decodedToken = validateUserToken(req.body.token);
+    validatePassword(req.body.newPass)
+    const user = await fetchUser(decodedToken.email);
     const newPassword = await hashPass(req.body.newPass);
     await changeUserPass(user._id, newPassword);
     res.send("Hasło zostało zmienione.");
diff --git a/services/services.js b/services/services.js
index e9f0512..ccb4cd9 100644
--- a/services/services.js
+++ b/services/services.js
@@ -160,7 +160,7 @@ function yearFromNowDate() {
 
 async function hashPass(pass) {
   if (pass.length < 6) {
-    throw newError("Hasło za krótkie.", 500);
+    throw newError("Hasło za krótkie.", 400);
   }
   try {
     const salt = await bcrypt.genSalt(10);
diff --git a/services/validations.js b/services/validations.js
new file mode 100644
index 0000000..4bd241b
--- /dev/null
+++ b/services/validations.js
@@ -0,0 +1,50 @@
+const validator = require('validator');
+const { newError } = require("./services.js");
+
+const validateLogin = function(requestBody){
+    const email = validator.isEmail(requestBody.email) && validator.isLength(requestBody.email, { max: 64 })
+    const password = validator.isLength(requestBody.password, { max: 64 });
+    if(!email || !password){
+        throw newError("Dane logowania nieprawidłowe :/", 400);
+    }
+}
+
+const validatePassword = function(pass){
+    const password = validator.isLength(pass, { min: 2, max: 64 });
+}
+
+const validateRegister = function(requestBody){
+    if(requestBody.isRestaurant){
+        const email = validator.isEmail(requestBody.email) && validator.isLength(requestBody.email, { max: 64 })
+        const password = validator.isLength(requestBody.password, { min:6, max:64 });
+        const firstname = validator.isLength(requestBody.firstname, { min:1, max:24 });
+        const lastname = validator.isLength(requestBody.lastname, { min:1, max:24 });
+        const NIP = validator.isLength(requestBody.NIP, { min:10, max:20 });
+        const adress = validator.isLength(requestBody.adress, { min:2, max:64 });
+        const companyName = validator.isLength(requestBody.companyName, { min:2, max:64 });
+        if(!email || !password || !firstname || !lastname || !NIP || !adress || !companyName) {
+            throw newError("Dane nieprawidłowe", 400)
+        }
+    } else {
+        const email = validator.isEmail(requestBody.email) && validator.isLength(requestBody.email, { max: 64 })
+        const password = validator.isLength(requestBody.password, { min:6, max:64 });
+        const login = validator.isLength(requestBody.login, { min:2, max:64 });
+        if(!email || !password || !login) {
+            throw newError("Dane nieprawidłowe", 400)
+        }
+    }
+}
+
+const validateSearch = function(string){
+    const valid = validator.isLength(string, { max: 64 }) && validator.isAlphanumeric(string)
+    if(!valid){
+        throw newError("Niepoprawne zapytanie", 400)
+    }
+}
+
+// EXPORTS
+
+exports.validateLogin = validateLogin;
+exports.validateRegister = validateRegister;
+exports.validatePassword = validatePassword;
+exports.validateSearch = validateSearch;
\ No newline at end of file