diff --git a/middleware/auth.go b/middleware/auth.go
index 04719ca..f09432c 100644
--- a/middleware/auth.go
+++ b/middleware/auth.go
@@ -126,6 +126,7 @@ func (a *Authenticator) refreshExpiredToken(w http.ResponseWriter, claims token.
 }
 
 // AdminOnly middleware allows access for admins only
+// this handler internally wrapped with auth(true) to avoid situation if AdminOnly defined without prior Auth
 func (a *Authenticator) AdminOnly(next http.Handler) http.Handler {
 	fn := func(w http.ResponseWriter, r *http.Request) {
 		user, err := token.GetUserInfo(r)
@@ -140,7 +141,7 @@ func (a *Authenticator) AdminOnly(next http.Handler) http.Handler {
 		}
 		next.ServeHTTP(w, r)
 	}
-	return a.auth(true)(http.HandlerFunc(fn))
+	return a.auth(true)(http.HandlerFunc(fn)) // enforce auth
 }
 
 // basic auth for admin user