diff --git a/lib/validation.js b/lib/validation.js
index 1522a00..55adc1e 100644
--- a/lib/validation.js
+++ b/lib/validation.js
@@ -44,6 +44,17 @@ module.exports = function (req, res, next) {
       sanitized[key] = req.body[key];
     })
     
+    // validate login separately
+    if(resource.type === 'UserCollection' && req.url.indexOf('/login') === req.url.lastIndexOf('/')) {
+      // explicitely sanitize login data
+      sanitized = {
+        email: req.body.email,
+        password: req.body.password
+      };
+
+      return next();
+    }
+    
     // replace input with sanitized data
     req.body = req.data = sanitized;
     
diff --git a/package.json b/package.json
index da0e4c6..18dee2e 100644
--- a/package.json
+++ b/package.json
@@ -6,7 +6,7 @@
     "url": "git://github.com/deployd/deployd.git"
   },
   "engines": {
-    "node": ">= 0.7.x"
+    "node": ">= 0.6.0"
   },
   "main":"index",
   "dependencies": {
diff --git a/test/support.js b/test/support.js
index 2d37fe7..e8589e5 100644
--- a/test/support.js
+++ b/test/support.js
@@ -20,9 +20,9 @@ unauthed = require('../lib/client').use('http://localhost:3003')
 resources = client.use('/resources')
 keys = dpd.use('/keys');
 types = client.use('/types')
-users = client.use('/users')
 // use non-root for todos
 todos = unauthed.use('/todos')
+users = unauthed.use('/users')
 sessions = client.use('/sessions')
 dashboard = client.use('/__dashboard');
 UserCollection = require('../lib/types').UserCollection
@@ -54,7 +54,29 @@ data = {
     users: {
       type: 'UserCollection',
       path: UserCollection.defaultPath,
-      properties: UserCollection.properties
+      properties: {
+        email: {
+          description: 'the unique email of the user',
+          type: 'string',
+          pattern: "[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?",
+          required: true,
+          unique: true,
+          minLength: 5,
+          order: 0
+        },
+        password: {
+          description: "the user's password",
+          type: 'string',
+          required: true,
+          minLength: 5,
+          order: 1
+        },
+        age: {
+          type: 'number',
+          required: true,
+          order: 2
+        }
+      }
     },
     avatars: {
       type: 'Static',
@@ -65,7 +87,7 @@ data = {
       path: '/'
     }
   },
-  users: [{email: 'foo@bar.com', password: 'foobar'}],
+  users: [{email: 'foo@bar.com', password: 'foobar', age: 21}],
   todos: [{title: 'feed the dog', complete: false}, {title: 'wash the car', complete: false}, {title: 'finish some stuff', complete: false}]
 }
 
diff --git a/test/users.test.js b/test/users.test.js
index 9d1c541..6bbe3f7 100644
--- a/test/users.test.js
+++ b/test/users.test.js
@@ -25,7 +25,7 @@ describe('Users', function(){
   
   describe('POST /users/login', function(){
     it('should login if provided the correct credentials', function(done) {
-      users.use('/login').post(data.users[0], function (err, session, req, res) {
+      users.use('/login').post({email: data.users[0].email, password: data.users[0].password}, function (err, session, req, res) {
         expect(session._id).to.have.length(24);
         expect(session.user.password).to.not.exist;
         expect(res.headers['set-cookie'][0].indexOf(session._id) > -1).to.equal(true);