[#2068] Introduced proper OAuth tokens usage to controller tests.

2019-12-19 17:23:27 +03:00 · 2019-12-19 17:23:27 +03:00 · 455e072d27
parent 7973cbdb9f
commit 455e072d27
23 changed files with 548 additions and 1045 deletions
--- a/lib/pleroma/web/masto_fe_controller.ex
+++ b/lib/pleroma/web/masto_fe_controller.ex
@ -20,18 +20,21 @@ defmodule Pleroma.Web.MastoFEController do
  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug when action != :index)
  @doc "GET /web/*path"
-  def index(%{assigns: %{user: user}} = conn, _params) do
+  def index(%{assigns: %{user: user, token: token}} = conn, _params)
-    token = get_session(conn, :oauth_token)
+      when not is_nil(user) and not is_nil(token) do
    conn
    |> put_layout(false)
    |> render("index.html",
      token: token.token,
      user: user,
      custom_emojis: Pleroma.Emoji.get_all()
    )
  end
-    if user && token do
+  def index(conn, _params) do
-      conn
+    conn
-      |> put_layout(false)
+    |> put_session(:return_to, conn.request_path)
-      |> render("index.html", token: token, user: user, custom_emojis: Pleroma.Emoji.get_all())
+    |> redirect(to: "/web/login")
    else
      conn
      |> put_session(:return_to, conn.request_path)
      |> redirect(to: "/web/login")
    end
  end
  @doc "GET /web/manifest.json"
--- a/test/support/conn_case.ex
+++ b/test/support/conn_case.ex
@ -30,14 +30,14 @@ defmodule Pleroma.Web.ConnCase do
      @endpoint Pleroma.Web.Endpoint
      # Sets up OAuth access with specified scopes
-      defp oauth_access(scopes, opts \\ %{}) do
+      defp oauth_access(scopes, opts \\ []) do
        user =
-          Map.get_lazy(opts, :user, fn ->
+          Keyword.get_lazy(opts, :user, fn ->
            Pleroma.Factory.insert(:user)
          end)
        token =
-          Map.get_lazy(opts, :oauth_token, fn ->
+          Keyword.get_lazy(opts, :oauth_token, fn ->
            Pleroma.Factory.insert(:oauth_token, user: user, scopes: scopes)
          end)
--- a/test/web/masto_fe_controller_test.exs
+++ b/test/web/masto_fe_controller_test.exs
@ -18,6 +18,7 @@ test "put settings", %{conn: conn} do
    conn =
      conn
      |> assign(:user, user)
      |> assign(:token, insert(:oauth_token, user: user, scopes: ["write:accounts"]))
      |> put("/api/web/settings", %{"data" => %{"programming" => "socks"}})
    assert _result = json_response(conn, 200)
@ -63,12 +64,12 @@ test "redirects not logged-in users to the login page on private instances", %{
    end
    test "does not redirect logged in users to the login page", %{conn: conn, path: path} do
-      token = insert(:oauth_token)
+      token = insert(:oauth_token, scopes: ["read"])
      conn =
        conn
        |> assign(:user, token.user)
-        |> put_session(:oauth_token, token.token)
+        |> assign(:token, token)
        |> get(path)
      assert conn.status == 200
--- a/test/web/mastodon_api/controllers/account_controller/update_credentials_test.exs
+++ b/test/web/mastodon_api/controllers/account_controller/update_credentials_test.exs
@ -12,13 +12,11 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController.UpdateCredentialsTest do
  clear_config([:instance, :max_account_fields])
  describe "updating credentials" do
-    test "sets user settings in a generic way", %{conn: conn} do
+    setup do: oauth_access(["write:accounts"])
      user = insert(:user)
    test "sets user settings in a generic way", %{conn: conn} do
      res_conn =
-        conn
+        patch(conn, "/api/v1/accounts/update_credentials", %{
        |> assign(:user, user)
        |> patch("/api/v1/accounts/update_credentials", %{
          "pleroma_settings_store" => %{
            pleroma_fe: %{
              theme: "bla"
@ -26,10 +24,10 @@ test "sets user settings in a generic way", %{conn: conn} do
          }
        })
-      assert user = json_response(res_conn, 200)
+      assert user_data = json_response(res_conn, 200)
-      assert user["pleroma"]["settings_store"] == %{"pleroma_fe" => %{"theme" => "bla"}}
+      assert user_data["pleroma"]["settings_store"] == %{"pleroma_fe" => %{"theme" => "bla"}}
-      user = Repo.get(User, user["id"])
+      user = Repo.get(User, user_data["id"])
      res_conn =
        conn
@ -42,15 +40,15 @@ test "sets user settings in a generic way", %{conn: conn} do
          }
        })
-      assert user = json_response(res_conn, 200)
+      assert user_data = json_response(res_conn, 200)
-      assert user["pleroma"]["settings_store"] ==
+      assert user_data["pleroma"]["settings_store"] ==
               %{
                 "pleroma_fe" => %{"theme" => "bla"},
                 "masto_fe" => %{"theme" => "bla"}
               }
-      user = Repo.get(User, user["id"])
+      user = Repo.get(User, user_data["id"])
      res_conn =
        conn
@ -63,9 +61,9 @@ test "sets user settings in a generic way", %{conn: conn} do
          }
        })
-      assert user = json_response(res_conn, 200)
+      assert user_data = json_response(res_conn, 200)
-      assert user["pleroma"]["settings_store"] ==
+      assert user_data["pleroma"]["settings_store"] ==
               %{
                 "pleroma_fe" => %{"theme" => "bla"},
                 "masto_fe" => %{"theme" => "blub"}
@ -73,97 +71,67 @@ test "sets user settings in a generic way", %{conn: conn} do
    end
    test "updates the user's bio", %{conn: conn} do
      user = insert(:user)
      user2 = insert(:user)
      conn =
-        conn
+        patch(conn, "/api/v1/accounts/update_credentials", %{
        |> assign(:user, user)
        |> patch("/api/v1/accounts/update_credentials", %{
          "note" => "I drink #cofe with @#{user2.nickname}"
        })
-      assert user = json_response(conn, 200)
+      assert user_data = json_response(conn, 200)
-      assert user["note"] ==
+      assert user_data["note"] ==
               ~s(I drink <a class="hashtag" data-tag="cofe" href="http://localhost:4001/tag/cofe">#cofe</a> with <span class="h-card"><a data-user="#{
                 user2.id
               }" class="u-url mention" href="#{user2.ap_id}" rel="ugc">@<span>#{user2.nickname}</span></a></span>)
    end
    test "updates the user's locking status", %{conn: conn} do
-      user = insert(:user)
+      conn = patch(conn, "/api/v1/accounts/update_credentials", %{locked: "true"})
-      conn =
+      assert user_data = json_response(conn, 200)
-        conn
+      assert user_data["locked"] == true
        |> assign(:user, user)
        |> patch("/api/v1/accounts/update_credentials", %{locked: "true"})
      assert user = json_response(conn, 200)
      assert user["locked"] == true
    end
-    test "updates the user's allow_following_move", %{conn: conn} do
+    test "updates the user's allow_following_move", %{user: user, conn: conn} do
      user = insert(:user)
      assert user.allow_following_move == true
-      conn =
+      conn = patch(conn, "/api/v1/accounts/update_credentials", %{allow_following_move: "false"})
        conn
        |> assign(:user, user)
        |> patch("/api/v1/accounts/update_credentials", %{allow_following_move: "false"})
      assert refresh_record(user).allow_following_move == false
-      assert user = json_response(conn, 200)
+      assert user_data = json_response(conn, 200)
-      assert user["pleroma"]["allow_following_move"] == false
+      assert user_data["pleroma"]["allow_following_move"] == false
    end
    test "updates the user's default scope", %{conn: conn} do
-      user = insert(:user)
+      conn = patch(conn, "/api/v1/accounts/update_credentials", %{default_scope: "cofe"})
-      conn =
+      assert user_data = json_response(conn, 200)
-        conn
+      assert user_data["source"]["privacy"] == "cofe"
        |> assign(:user, user)
        |> patch("/api/v1/accounts/update_credentials", %{default_scope: "cofe"})
      assert user = json_response(conn, 200)
      assert user["source"]["privacy"] == "cofe"
    end
    test "updates the user's hide_followers status", %{conn: conn} do
-      user = insert(:user)
+      conn = patch(conn, "/api/v1/accounts/update_credentials", %{hide_followers: "true"})
-      conn =
+      assert user_data = json_response(conn, 200)
-        conn
+      assert user_data["pleroma"]["hide_followers"] == true
        |> assign(:user, user)
        |> patch("/api/v1/accounts/update_credentials", %{hide_followers: "true"})
      assert user = json_response(conn, 200)
      assert user["pleroma"]["hide_followers"] == true
    end
    test "updates the user's hide_followers_count and hide_follows_count", %{conn: conn} do
      user = insert(:user)
      conn =
-        conn
+        patch(conn, "/api/v1/accounts/update_credentials", %{
        |> assign(:user, user)
        |> patch("/api/v1/accounts/update_credentials", %{
          hide_followers_count: "true",
          hide_follows_count: "true"
        })
-      assert user = json_response(conn, 200)
+      assert user_data = json_response(conn, 200)
-      assert user["pleroma"]["hide_followers_count"] == true
+      assert user_data["pleroma"]["hide_followers_count"] == true
-      assert user["pleroma"]["hide_follows_count"] == true
+      assert user_data["pleroma"]["hide_follows_count"] == true
    end
-    test "updates the user's skip_thread_containment option", %{conn: conn} do
+    test "updates the user's skip_thread_containment option", %{user: user, conn: conn} do
      user = insert(:user)
      response =
        conn
        |> assign(:user, user)
        |> patch("/api/v1/accounts/update_credentials", %{skip_thread_containment: "true"})
        |> json_response(200)
@ -172,104 +140,68 @@ test "updates the user's skip_thread_containment option", %{conn: conn} do
    end
    test "updates the user's hide_follows status", %{conn: conn} do
-      user = insert(:user)
+      conn = patch(conn, "/api/v1/accounts/update_credentials", %{hide_follows: "true"})
-      conn =
+      assert user_data = json_response(conn, 200)
-        conn
+      assert user_data["pleroma"]["hide_follows"] == true
        |> assign(:user, user)
        |> patch("/api/v1/accounts/update_credentials", %{hide_follows: "true"})
      assert user = json_response(conn, 200)
      assert user["pleroma"]["hide_follows"] == true
    end
    test "updates the user's hide_favorites status", %{conn: conn} do
-      user = insert(:user)
+      conn = patch(conn, "/api/v1/accounts/update_credentials", %{hide_favorites: "true"})
-      conn =
+      assert user_data = json_response(conn, 200)
-        conn
+      assert user_data["pleroma"]["hide_favorites"] == true
        |> assign(:user, user)
        |> patch("/api/v1/accounts/update_credentials", %{hide_favorites: "true"})
      assert user = json_response(conn, 200)
      assert user["pleroma"]["hide_favorites"] == true
    end
    test "updates the user's show_role status", %{conn: conn} do
-      user = insert(:user)
+      conn = patch(conn, "/api/v1/accounts/update_credentials", %{show_role: "false"})
-      conn =
+      assert user_data = json_response(conn, 200)
-        conn
+      assert user_data["source"]["pleroma"]["show_role"] == false
        |> assign(:user, user)
        |> patch("/api/v1/accounts/update_credentials", %{show_role: "false"})
      assert user = json_response(conn, 200)
      assert user["source"]["pleroma"]["show_role"] == false
    end
    test "updates the user's no_rich_text status", %{conn: conn} do
-      user = insert(:user)
+      conn = patch(conn, "/api/v1/accounts/update_credentials", %{no_rich_text: "true"})
-      conn =
+      assert user_data = json_response(conn, 200)
-        conn
+      assert user_data["source"]["pleroma"]["no_rich_text"] == true
        |> assign(:user, user)
        |> patch("/api/v1/accounts/update_credentials", %{no_rich_text: "true"})
      assert user = json_response(conn, 200)
      assert user["source"]["pleroma"]["no_rich_text"] == true
    end
    test "updates the user's name", %{conn: conn} do
      user = insert(:user)
      conn =
-        conn
+        patch(conn, "/api/v1/accounts/update_credentials", %{"display_name" => "markorepairs"})
        |> assign(:user, user)
        |> patch("/api/v1/accounts/update_credentials", %{"display_name" => "markorepairs"})
-      assert user = json_response(conn, 200)
+      assert user_data = json_response(conn, 200)
-      assert user["display_name"] == "markorepairs"
+      assert user_data["display_name"] == "markorepairs"
    end
-    test "updates the user's avatar", %{conn: conn} do
+    test "updates the user's avatar", %{user: user, conn: conn} do
      user = insert(:user)
      new_avatar = %Plug.Upload{
        content_type: "image/jpg",
        path: Path.absname("test/fixtures/image.jpg"),
        filename: "an_image.jpg"
      }
-      conn =
+      conn = patch(conn, "/api/v1/accounts/update_credentials", %{"avatar" => new_avatar})
        conn
        |> assign(:user, user)
        |> patch("/api/v1/accounts/update_credentials", %{"avatar" => new_avatar})
      assert user_response = json_response(conn, 200)
      assert user_response["avatar"] != User.avatar_url(user)
    end
-    test "updates the user's banner", %{conn: conn} do
+    test "updates the user's banner", %{user: user, conn: conn} do
      user = insert(:user)
      new_header = %Plug.Upload{
        content_type: "image/jpg",
        path: Path.absname("test/fixtures/image.jpg"),
        filename: "an_image.jpg"
      }
-      conn =
+      conn = patch(conn, "/api/v1/accounts/update_credentials", %{"header" => new_header})
        conn
        |> assign(:user, user)
        |> patch("/api/v1/accounts/update_credentials", %{"header" => new_header})
      assert user_response = json_response(conn, 200)
      assert user_response["header"] != User.banner_url(user)
    end
    test "updates the user's background", %{conn: conn} do
      user = insert(:user)
      new_header = %Plug.Upload{
        content_type: "image/jpg",
        path: Path.absname("test/fixtures/image.jpg"),
@ -277,9 +209,7 @@ test "updates the user's background", %{conn: conn} do
      }
      conn =
-        conn
+        patch(conn, "/api/v1/accounts/update_credentials", %{
        |> assign(:user, user)
        |> patch("/api/v1/accounts/update_credentials", %{
          "pleroma_background_image" => new_header
        })
@ -287,13 +217,13 @@ test "updates the user's background", %{conn: conn} do
      assert user_response["pleroma"]["background_image"]
    end
-    test "requires 'write:accounts' permission", %{conn: conn} do
+    test "requires 'write:accounts' permission" do
      token1 = insert(:oauth_token, scopes: ["read"])
      token2 = insert(:oauth_token, scopes: ["write", "follow"])
      for token <- [token1, token2] do
        conn =
-          conn
+          build_conn()
          |> put_req_header("authorization", "Bearer #{token.token}")
          |> patch("/api/v1/accounts/update_credentials", %{})
@ -306,53 +236,44 @@ test "requires 'write:accounts' permission", %{conn: conn} do
      end
    end
-    test "updates profile emojos", %{conn: conn} do
+    test "updates profile emojos", %{user: user, conn: conn} do
      user = insert(:user)
      note = "*sips :blank:*"
      name = "I am :firefox:"
-      conn =
+      ret_conn =
-        conn
+        patch(conn, "/api/v1/accounts/update_credentials", %{
        |> assign(:user, user)
        |> patch("/api/v1/accounts/update_credentials", %{
          "note" => note,
          "display_name" => name
        })
-      assert json_response(conn, 200)
+      assert json_response(ret_conn, 200)
-      conn =
+      conn = get(conn, "/api/v1/accounts/#{user.id}")
        conn
        |> get("/api/v1/accounts/#{user.id}")
-      assert user = json_response(conn, 200)
+      assert user_data = json_response(conn, 200)
-      assert user["note"] == note
+      assert user_data["note"] == note
-      assert user["display_name"] == name
+      assert user_data["display_name"] == name
-      assert [%{"shortcode" => "blank"}, %{"shortcode" => "firefox"}] = user["emojis"]
+      assert [%{"shortcode" => "blank"}, %{"shortcode" => "firefox"}] = user_data["emojis"]
    end
    test "update fields", %{conn: conn} do
      user = insert(:user)
      fields = [
        %{"name" => "<a href=\"http://google.com\">foo</a>", "value" => "<script>bar</script>"},
        %{"name" => "link", "value" => "cofe.io"}
      ]
-      account =
+      account_data =
        conn
        |> assign(:user, user)
        |> patch("/api/v1/accounts/update_credentials", %{"fields_attributes" => fields})
        |> json_response(200)
-      assert account["fields"] == [
+      assert account_data["fields"] == [
               %{"name" => "foo", "value" => "bar"},
               %{"name" => "link", "value" => ~S(<a href="http://cofe.io" rel="ugc">cofe.io</a>)}
             ]
-      assert account["source"]["fields"] == [
+      assert account_data["source"]["fields"] == [
               %{
                 "name" => "<a href=\"http://google.com\">foo</a>",
                 "value" => "<script>bar</script>"
@ -372,7 +293,6 @@ test "update fields", %{conn: conn} do
      account =
        conn
        |> put_req_header("content-type", "application/x-www-form-urlencoded")
        |> assign(:user, user)
        |> patch("/api/v1/accounts/update_credentials", fields)
        |> json_response(200)
@ -398,7 +318,6 @@ test "update fields", %{conn: conn} do
      assert %{"error" => "Invalid request"} ==
               conn
               |> assign(:user, user)
               |> patch("/api/v1/accounts/update_credentials", %{"fields_attributes" => fields})
               |> json_response(403)
@ -408,7 +327,6 @@ test "update fields", %{conn: conn} do
      assert %{"error" => "Invalid request"} ==
               conn
               |> assign(:user, user)
               |> patch("/api/v1/accounts/update_credentials", %{"fields_attributes" => fields})
               |> json_response(403)
@ -421,7 +339,6 @@ test "update fields", %{conn: conn} do
      assert %{"error" => "Invalid request"} ==
               conn
               |> assign(:user, user)
               |> patch("/api/v1/accounts/update_credentials", %{"fields_attributes" => fields})
               |> json_response(403)
@ -432,7 +349,6 @@ test "update fields", %{conn: conn} do
      account =
        conn
        |> assign(:user, user)
        |> patch("/api/v1/accounts/update_credentials", %{"fields_attributes" => fields})
        |> json_response(200)
--- a/test/web/mastodon_api/controllers/account_controller_test.exs
+++ b/test/web/mastodon_api/controllers/account_controller_test.exs
@ -87,6 +87,7 @@ test "respects limit_to_local_content == :unauthenticated for remote user nickna
      conn =
        build_conn()
        |> assign(:user, reading_user)
        |> assign(:token, insert(:oauth_token, user: reading_user, scopes: ["read:accounts"]))
        |> get("/api/v1/accounts/#{user.nickname}")
      Pleroma.Config.put([:instance, :limit_to_local_content], limit_to_local)
@ -144,8 +145,9 @@ test "returns 404 for internal.fetch actor", %{conn: conn} do
  end
  describe "user timelines" do
-    test "respects blocks", %{conn: conn} do
+    setup do: oauth_access(["read:statuses"])
-      user_one = insert(:user)
+
    test "respects blocks", %{user: user_one, conn: conn} do
      user_two = insert(:user)
      user_three = insert(:user)
@ -154,46 +156,35 @@ test "respects blocks", %{conn: conn} do
      {:ok, activity} = CommonAPI.post(user_two, %{"status" => "User one sux0rz"})
      {:ok, repeat, _} = CommonAPI.repeat(activity.id, user_three)
-      resp =
+      resp = get(conn, "/api/v1/accounts/#{user_two.id}/statuses")
        conn
        |> get("/api/v1/accounts/#{user_two.id}/statuses")
      assert [%{"id" => id}] = json_response(resp, 200)
      assert id == activity.id
      # Even a blocked user will deliver the full user timeline, there would be
-      # no point in looking at a blocked users timeline otherwise
+      #   no point in looking at a blocked users timeline otherwise
-      resp =
+      resp = get(conn, "/api/v1/accounts/#{user_two.id}/statuses")
        conn
        |> assign(:user, user_one)
        |> get("/api/v1/accounts/#{user_two.id}/statuses")
      assert [%{"id" => id}] = json_response(resp, 200)
      assert id == activity.id
-      resp =
+      # Third user's timeline includes the repeat when viewed by unauthenticated user
-        conn
+      resp = get(build_conn(), "/api/v1/accounts/#{user_three.id}/statuses")
        |> get("/api/v1/accounts/#{user_three.id}/statuses")
      assert [%{"id" => id}] = json_response(resp, 200)
      assert id == repeat.id
-      # When viewing a third user's timeline, the blocked users will NOT be
+      # When viewing a third user's timeline, the blocked users' statuses will NOT be shown
-      # shown.
+      resp = get(conn, "/api/v1/accounts/#{user_three.id}/statuses")
      resp =
        conn
        |> assign(:user, user_one)
        |> get("/api/v1/accounts/#{user_three.id}/statuses")
      assert [] = json_response(resp, 200)
    end
-    test "gets a users statuses", %{conn: conn} do
+    test "gets users statuses", %{conn: conn} do
      user_one = insert(:user)
      user_two = insert(:user)
      user_three = insert(:user)
-      {:ok, user_three} = User.follow(user_three, user_one)
+      {:ok, _user_three} = User.follow(user_three, user_one)
      {:ok, activity} = CommonAPI.post(user_one, %{"status" => "HI!!!"})
@ -206,9 +197,7 @@ test "gets a users statuses", %{conn: conn} do
      {:ok, private_activity} =
        CommonAPI.post(user_one, %{"status" => "private", "visibility" => "private"})
-      resp =
+      resp = get(conn, "/api/v1/accounts/#{user_one.id}/statuses")
        conn
        |> get("/api/v1/accounts/#{user_one.id}/statuses")
      assert [%{"id" => id}] = json_response(resp, 200)
      assert id == to_string(activity.id)
@ -216,6 +205,7 @@ test "gets a users statuses", %{conn: conn} do
      resp =
        conn
        |> assign(:user, user_two)
        |> assign(:token, insert(:oauth_token, user: user_two, scopes: ["read:statuses"]))
        |> get("/api/v1/accounts/#{user_one.id}/statuses")
      assert [%{"id" => id_one}, %{"id" => id_two}] = json_response(resp, 200)
@ -225,6 +215,7 @@ test "gets a users statuses", %{conn: conn} do
      resp =
        conn
        |> assign(:user, user_three)
        |> assign(:token, insert(:oauth_token, user: user_three, scopes: ["read:statuses"]))
        |> get("/api/v1/accounts/#{user_one.id}/statuses")
      assert [%{"id" => id_one}, %{"id" => id_two}] = json_response(resp, 200)
@ -236,9 +227,7 @@ test "unimplemented pinned statuses feature", %{conn: conn} do
      note = insert(:note_activity)
      user = User.get_cached_by_ap_id(note.data["actor"])
-      conn =
+      conn = get(conn, "/api/v1/accounts/#{user.id}/statuses?pinned=true")
        conn
        |> get("/api/v1/accounts/#{user.id}/statuses?pinned=true")
      assert json_response(conn, 200) == []
    end
@ -257,63 +246,51 @@ test "gets an users media", %{conn: conn} do
      {:ok, image_post} = CommonAPI.post(user, %{"status" => "cofe", "media_ids" => [media_id]})
-      conn =
+      conn = get(conn, "/api/v1/accounts/#{user.id}/statuses", %{"only_media" => "true"})
        conn
        |> get("/api/v1/accounts/#{user.id}/statuses", %{"only_media" => "true"})
      assert [%{"id" => id}] = json_response(conn, 200)
      assert id == to_string(image_post.id)
-      conn =
+      conn = get(build_conn(), "/api/v1/accounts/#{user.id}/statuses", %{"only_media" => "1"})
        build_conn()
        |> get("/api/v1/accounts/#{user.id}/statuses", %{"only_media" => "1"})
      assert [%{"id" => id}] = json_response(conn, 200)
      assert id == to_string(image_post.id)
    end
-    test "gets a user's statuses without reblogs", %{conn: conn} do
+    test "gets a user's statuses without reblogs", %{user: user, conn: conn} do
      user = insert(:user)
      {:ok, post} = CommonAPI.post(user, %{"status" => "HI!!!"})
      {:ok, _, _} = CommonAPI.repeat(post.id, user)
-      conn =
+      conn = get(conn, "/api/v1/accounts/#{user.id}/statuses", %{"exclude_reblogs" => "true"})
        conn
        |> get("/api/v1/accounts/#{user.id}/statuses", %{"exclude_reblogs" => "true"})
      assert [%{"id" => id}] = json_response(conn, 200)
      assert id == to_string(post.id)
-      conn =
+      conn = get(conn, "/api/v1/accounts/#{user.id}/statuses", %{"exclude_reblogs" => "1"})
        conn
        |> get("/api/v1/accounts/#{user.id}/statuses", %{"exclude_reblogs" => "1"})
      assert [%{"id" => id}] = json_response(conn, 200)
      assert id == to_string(post.id)
    end
-    test "filters user's statuses by a hashtag", %{conn: conn} do
+    test "filters user's statuses by a hashtag", %{user: user, conn: conn} do
      user = insert(:user)
      {:ok, post} = CommonAPI.post(user, %{"status" => "#hashtag"})
      {:ok, _post} = CommonAPI.post(user, %{"status" => "hashtag"})
-      conn =
+      conn = get(conn, "/api/v1/accounts/#{user.id}/statuses", %{"tagged" => "hashtag"})
        conn
        |> get("/api/v1/accounts/#{user.id}/statuses", %{"tagged" => "hashtag"})
      assert [%{"id" => id}] = json_response(conn, 200)
      assert id == to_string(post.id)
    end
-    test "the user views their own timelines and excludes direct messages", %{conn: conn} do
+    test "the user views their own timelines and excludes direct messages", %{
-      user = insert(:user)
+      user: user,
      conn: conn
    } do
      {:ok, public_activity} = CommonAPI.post(user, %{"status" => ".", "visibility" => "public"})
      {:ok, _direct_activity} = CommonAPI.post(user, %{"status" => ".", "visibility" => "direct"})
      conn =
-        conn
+        get(conn, "/api/v1/accounts/#{user.id}/statuses", %{"exclude_visibilities" => ["direct"]})
        |> assign(:user, user)
        |> get("/api/v1/accounts/#{user.id}/statuses", %{"exclude_visibilities" => ["direct"]})
      assert [%{"id" => id}] = json_response(conn, 200)
      assert id == to_string(public_activity.id)
@ -321,46 +298,42 @@ test "the user views their own timelines and excludes direct messages", %{conn:
  end
  describe "followers" do
-    test "getting followers", %{conn: conn} do
+    setup do: oauth_access(["read:accounts"])
-      user = insert(:user)
+
    test "getting followers", %{user: user, conn: conn} do
      other_user = insert(:user)
      {:ok, user} = User.follow(user, other_user)
-      conn =
+      conn = get(conn, "/api/v1/accounts/#{other_user.id}/followers")
        conn
        |> get("/api/v1/accounts/#{other_user.id}/followers")
      assert [%{"id" => id}] = json_response(conn, 200)
      assert id == to_string(user.id)
    end
-    test "getting followers, hide_followers", %{conn: conn} do
+    test "getting followers, hide_followers", %{user: user, conn: conn} do
      user = insert(:user)
      other_user = insert(:user, hide_followers: true)
      {:ok, _user} = User.follow(user, other_user)
-      conn =
+      conn = get(conn, "/api/v1/accounts/#{other_user.id}/followers")
        conn
        |> get("/api/v1/accounts/#{other_user.id}/followers")
      assert [] == json_response(conn, 200)
    end
-    test "getting followers, hide_followers, same user requesting", %{conn: conn} do
+    test "getting followers, hide_followers, same user requesting" do
      user = insert(:user)
      other_user = insert(:user, hide_followers: true)
      {:ok, _user} = User.follow(user, other_user)
      conn =
-        conn
+        build_conn()
        |> assign(:user, other_user)
        |> assign(:token, insert(:oauth_token, user: other_user, scopes: ["read:accounts"]))
        |> get("/api/v1/accounts/#{other_user.id}/followers")
      refute [] == json_response(conn, 200)
    end
-    test "getting followers, pagination", %{conn: conn} do
+    test "getting followers, pagination", %{user: user, conn: conn} do
      user = insert(:user)
      follower1 = insert(:user)
      follower2 = insert(:user)
      follower3 = insert(:user)
@ -368,29 +341,19 @@ test "getting followers, pagination", %{conn: conn} do
      {:ok, _} = User.follow(follower2, user)
      {:ok, _} = User.follow(follower3, user)
-      conn =
+      res_conn = get(conn, "/api/v1/accounts/#{user.id}/followers?since_id=#{follower1.id}")
        conn
        |> assign(:user, user)
      res_conn =
        conn
        |> get("/api/v1/accounts/#{user.id}/followers?since_id=#{follower1.id}")
      assert [%{"id" => id3}, %{"id" => id2}] = json_response(res_conn, 200)
      assert id3 == follower3.id
      assert id2 == follower2.id
-      res_conn =
+      res_conn = get(conn, "/api/v1/accounts/#{user.id}/followers?max_id=#{follower3.id}")
        conn
        |> get("/api/v1/accounts/#{user.id}/followers?max_id=#{follower3.id}")
      assert [%{"id" => id2}, %{"id" => id1}] = json_response(res_conn, 200)
      assert id2 == follower2.id
      assert id1 == follower1.id
-      res_conn =
+      res_conn = get(conn, "/api/v1/accounts/#{user.id}/followers?limit=1&max_id=#{follower3.id}")
        conn
        |> get("/api/v1/accounts/#{user.id}/followers?limit=1&max_id=#{follower3.id}")
      assert [%{"id" => id2}] = json_response(res_conn, 200)
      assert id2 == follower2.id
@ -402,46 +365,47 @@ test "getting followers, pagination", %{conn: conn} do
  end
  describe "following" do
-    test "getting following", %{conn: conn} do
+    setup do: oauth_access(["read:accounts"])
-      user = insert(:user)
+
    test "getting following", %{user: user, conn: conn} do
      other_user = insert(:user)
      {:ok, user} = User.follow(user, other_user)
-      conn =
+      conn = get(conn, "/api/v1/accounts/#{user.id}/following")
        conn
        |> get("/api/v1/accounts/#{user.id}/following")
      assert [%{"id" => id}] = json_response(conn, 200)
      assert id == to_string(other_user.id)
    end
-    test "getting following, hide_follows", %{conn: conn} do
+    test "getting following, hide_follows, other user requesting" do
      user = insert(:user, hide_follows: true)
      other_user = insert(:user)
      {:ok, user} = User.follow(user, other_user)
      conn =
-        conn
+        build_conn()
        |> assign(:user, other_user)
        |> assign(:token, insert(:oauth_token, user: other_user, scopes: ["read:accounts"]))
        |> get("/api/v1/accounts/#{user.id}/following")
      assert [] == json_response(conn, 200)
    end
-    test "getting following, hide_follows, same user requesting", %{conn: conn} do
+    test "getting following, hide_follows, same user requesting" do
      user = insert(:user, hide_follows: true)
      other_user = insert(:user)
      {:ok, user} = User.follow(user, other_user)
      conn =
-        conn
+        build_conn()
        |> assign(:user, user)
        |> assign(:token, insert(:oauth_token, user: user, scopes: ["read:accounts"]))
        |> get("/api/v1/accounts/#{user.id}/following")
      refute [] == json_response(conn, 200)
    end
-    test "getting following, pagination", %{conn: conn} do
+    test "getting following, pagination", %{user: user, conn: conn} do
      user = insert(:user)
      following1 = insert(:user)
      following2 = insert(:user)
      following3 = insert(:user)
@ -449,29 +413,20 @@ test "getting following, pagination", %{conn: conn} do
      {:ok, _} = User.follow(user, following2)
      {:ok, _} = User.follow(user, following3)
-      conn =
+      res_conn = get(conn, "/api/v1/accounts/#{user.id}/following?since_id=#{following1.id}")
        conn
        |> assign(:user, user)
      res_conn =
        conn
        |> get("/api/v1/accounts/#{user.id}/following?since_id=#{following1.id}")
      assert [%{"id" => id3}, %{"id" => id2}] = json_response(res_conn, 200)
      assert id3 == following3.id
      assert id2 == following2.id
-      res_conn =
+      res_conn = get(conn, "/api/v1/accounts/#{user.id}/following?max_id=#{following3.id}")
        conn
        |> get("/api/v1/accounts/#{user.id}/following?max_id=#{following3.id}")
      assert [%{"id" => id2}, %{"id" => id1}] = json_response(res_conn, 200)
      assert id2 == following2.id
      assert id1 == following1.id
      res_conn =
-        conn
+        get(conn, "/api/v1/accounts/#{user.id}/following?limit=1&max_id=#{following3.id}")
        |> get("/api/v1/accounts/#{user.id}/following?limit=1&max_id=#{following3.id}")
      assert [%{"id" => id2}] = json_response(res_conn, 200)
      assert id2 == following2.id
@ -483,82 +438,52 @@ test "getting following, pagination", %{conn: conn} do
  end
  describe "follow/unfollow" do
    setup do: oauth_access(["follow"])
    test "following / unfollowing a user", %{conn: conn} do
      user = insert(:user)
      other_user = insert(:user)
-      conn =
+      ret_conn = post(conn, "/api/v1/accounts/#{other_user.id}/follow")
        conn
        |> assign(:user, user)
        |> post("/api/v1/accounts/#{other_user.id}/follow")
-      assert %{"id" => _id, "following" => true} = json_response(conn, 200)
+      assert %{"id" => _id, "following" => true} = json_response(ret_conn, 200)
-      user = User.get_cached_by_id(user.id)
+      ret_conn = post(conn, "/api/v1/accounts/#{other_user.id}/unfollow")
-      conn =
+      assert %{"id" => _id, "following" => false} = json_response(ret_conn, 200)
        build_conn()
        |> assign(:user, user)
        |> post("/api/v1/accounts/#{other_user.id}/unfollow")
-      assert %{"id" => _id, "following" => false} = json_response(conn, 200)
+      conn = post(conn, "/api/v1/follows", %{"uri" => other_user.nickname})
      user = User.get_cached_by_id(user.id)
      conn =
        build_conn()
        |> assign(:user, user)
        |> post("/api/v1/follows", %{"uri" => other_user.nickname})
      assert %{"id" => id} = json_response(conn, 200)
      assert id == to_string(other_user.id)
    end
    test "following without reblogs" do
-      follower = insert(:user)
+      %{conn: conn} = oauth_access(["follow", "read:statuses"])
      followed = insert(:user)
      other_user = insert(:user)
-      conn =
+      ret_conn = post(conn, "/api/v1/accounts/#{followed.id}/follow?reblogs=false")
        build_conn()
        |> assign(:user, follower)
        |> post("/api/v1/accounts/#{followed.id}/follow?reblogs=false")
-      assert %{"showing_reblogs" => false} = json_response(conn, 200)
+      assert %{"showing_reblogs" => false} = json_response(ret_conn, 200)
      {:ok, activity} = CommonAPI.post(other_user, %{"status" => "hey"})
      {:ok, reblog, _} = CommonAPI.repeat(activity.id, followed)
-      conn =
+      ret_conn = get(conn, "/api/v1/timelines/home")
        build_conn()
        |> assign(:user, User.get_cached_by_id(follower.id))
        |> get("/api/v1/timelines/home")
-      assert [] == json_response(conn, 200)
+      assert [] == json_response(ret_conn, 200)
-      conn =
+      ret_conn = post(conn, "/api/v1/accounts/#{followed.id}/follow?reblogs=true")
        build_conn()
        |> assign(:user, User.get_cached_by_id(follower.id))
        |> post("/api/v1/accounts/#{followed.id}/follow?reblogs=true")
-      assert %{"showing_reblogs" => true} = json_response(conn, 200)
+      assert %{"showing_reblogs" => true} = json_response(ret_conn, 200)
-      conn =
+      conn = get(conn, "/api/v1/timelines/home")
        build_conn()
        |> assign(:user, User.get_cached_by_id(follower.id))
        |> get("/api/v1/timelines/home")
      expected_activity_id = reblog.id
      assert [%{"id" => ^expected_activity_id}] = json_response(conn, 200)
    end
-    test "following / unfollowing errors" do
+    test "following / unfollowing errors", %{user: user, conn: conn} do
      user = insert(:user)
      conn =
        build_conn()
        |> assign(:user, user)
      # self follow
      conn_res = post(conn, "/api/v1/accounts/#{user.id}/follow")
      assert %{"error" => "Record not found"} = json_response(conn_res, 404)
@ -588,47 +513,34 @@ test "following / unfollowing errors" do
  end
  describe "mute/unmute" do
    setup do: oauth_access(["write:mutes"])
    test "with notifications", %{conn: conn} do
      user = insert(:user)
      other_user = insert(:user)
-      conn =
+      ret_conn = post(conn, "/api/v1/accounts/#{other_user.id}/mute")
        conn
        |> assign(:user, user)
        |> post("/api/v1/accounts/#{other_user.id}/mute")
-      response = json_response(conn, 200)
+      response = json_response(ret_conn, 200)
      assert %{"id" => _id, "muting" => true, "muting_notifications" => true} = response
      user = User.get_cached_by_id(user.id)
-      conn =
+      conn = post(conn, "/api/v1/accounts/#{other_user.id}/unmute")
        build_conn()
        |> assign(:user, user)
        |> post("/api/v1/accounts/#{other_user.id}/unmute")
      response = json_response(conn, 200)
      assert %{"id" => _id, "muting" => false, "muting_notifications" => false} = response
    end
    test "without notifications", %{conn: conn} do
      user = insert(:user)
      other_user = insert(:user)
-      conn =
+      ret_conn =
-        conn
+        post(conn, "/api/v1/accounts/#{other_user.id}/mute", %{"notifications" => "false"})
        |> assign(:user, user)
        |> post("/api/v1/accounts/#{other_user.id}/mute", %{"notifications" => "false"})
-      response = json_response(conn, 200)
+      response = json_response(ret_conn, 200)
      assert %{"id" => _id, "muting" => true, "muting_notifications" => false} = response
      user = User.get_cached_by_id(user.id)
-      conn =
+      conn = post(conn, "/api/v1/accounts/#{other_user.id}/unmute")
        build_conn()
        |> assign(:user, user)
        |> post("/api/v1/accounts/#{other_user.id}/unmute")
      response = json_response(conn, 200)
      assert %{"id" => _id, "muting" => false, "muting_notifications" => false} = response
@ -639,8 +551,9 @@ test "without notifications", %{conn: conn} do
    setup do
      user = insert(:user)
      {:ok, activity} = CommonAPI.post(user, %{"status" => "HI!!!"})
      %{conn: conn} = oauth_access(["read:statuses"], user: user)
-      [user: user, activity: activity]
+      [conn: conn, user: user, activity: activity]
    end
    test "returns pinned statuses", %{conn: conn, user: user, activity: activity} do
@ -648,7 +561,6 @@ test "returns pinned statuses", %{conn: conn, user: user, activity: activity} do
      result =
        conn
        |> assign(:user, user)
        |> get("/api/v1/accounts/#{user.id}/statuses?pinned=true")
        |> json_response(200)
@ -658,23 +570,15 @@ test "returns pinned statuses", %{conn: conn, user: user, activity: activity} do
    end
  end
-  test "blocking / unblocking a user", %{conn: conn} do
+  test "blocking / unblocking a user" do
-    user = insert(:user)
+    %{conn: conn} = oauth_access(["follow"])
    other_user = insert(:user)
-    conn =
+    ret_conn = post(conn, "/api/v1/accounts/#{other_user.id}/block")
      conn
      |> assign(:user, user)
      |> post("/api/v1/accounts/#{other_user.id}/block")
-    assert %{"id" => _id, "blocking" => true} = json_response(conn, 200)
+    assert %{"id" => _id, "blocking" => true} = json_response(ret_conn, 200)
-    user = User.get_cached_by_id(user.id)
+    conn = post(conn, "/api/v1/accounts/#{other_user.id}/unblock")
    conn =
      build_conn()
      |> assign(:user, user)
      |> post("/api/v1/accounts/#{other_user.id}/unblock")
    assert %{"id" => _id, "blocking" => false} = json_response(conn, 200)
  end
@ -693,8 +597,7 @@ test "blocking / unblocking a user", %{conn: conn} do
    test "Account registration via Application", %{conn: conn} do
      conn =
-        conn
+        post(conn, "/api/v1/apps", %{
        |> post("/api/v1/apps", %{
          client_name: "client_name",
          redirect_uris: "urn:ietf:wg:oauth:2.0:oob",
          scopes: "read, write, follow"
@ -711,8 +614,7 @@ test "Account registration via Application", %{conn: conn} do
      } = json_response(conn, 200)
      conn =
-        conn
+        post(conn, "/oauth/token", %{
        |> post("/oauth/token", %{
          grant_type: "client_credentials",
          client_id: client_id,
          client_secret: client_secret
@ -769,13 +671,13 @@ test "rate limit", %{conn: conn} do
      app_token = insert(:oauth_token, user: nil)
      conn =
-        put_req_header(conn, "authorization", "Bearer " <> app_token.token)
+        conn
        |> put_req_header("authorization", "Bearer " <> app_token.token)
        |> Map.put(:remote_ip, {15, 15, 15, 15})
      for i <- 1..5 do
        conn =
-          conn
+          post(conn, "/api/v1/accounts", %{
          |> post("/api/v1/accounts", %{
            username: "#{i}lain",
            email: "#{i}lain@example.org",
            password: "PlzDontHackLain",
@ -798,8 +700,7 @@ test "rate limit", %{conn: conn} do
      end
      conn =
-        conn
+        post(conn, "/api/v1/accounts", %{
        |> post("/api/v1/accounts", %{
          username: "6lain",
          email: "6lain@example.org",
          password: "PlzDontHackLain",
@ -815,9 +716,7 @@ test "returns bad_request if missing required params", %{
    } do
      app_token = insert(:oauth_token, user: nil)
-      conn =
+      conn = put_req_header(conn, "authorization", "Bearer " <> app_token.token)
        conn
        |> put_req_header("authorization", "Bearer " <> app_token.token)
      res = post(conn, "/api/v1/accounts", valid_params)
      assert json_response(res, 200)
@ -836,9 +735,7 @@ test "returns bad_request if missing required params", %{
    end
    test "returns forbidden if token is invalid", %{conn: conn, valid_params: valid_params} do
-      conn =
+      conn = put_req_header(conn, "authorization", "Bearer " <> "invalid-token")
        conn
        |> put_req_header("authorization", "Bearer " <> "invalid-token")
      res = post(conn, "/api/v1/accounts", valid_params)
      assert json_response(res, 403) == %{"error" => "Invalid credentials"}
@ -846,15 +743,14 @@ test "returns forbidden if token is invalid", %{conn: conn, valid_params: valid_
  end
  describe "GET /api/v1/accounts/:id/lists - account_lists" do
-    test "returns lists to which the account belongs", %{conn: conn} do
+    test "returns lists to which the account belongs" do
-      user = insert(:user)
+      %{user: user, conn: conn} = oauth_access(["read:lists"])
      other_user = insert(:user)
      assert {:ok, %Pleroma.List{} = list} = Pleroma.List.create("Test List", user)
      {:ok, %{following: _following}} = Pleroma.List.follow(list, other_user)
      res =
        conn
        |> assign(:user, user)
        |> get("/api/v1/accounts/#{other_user.id}/lists")
        |> json_response(200)
@ -863,13 +759,9 @@ test "returns lists to which the account belongs", %{conn: conn} do
  end
  describe "verify_credentials" do
-    test "verify_credentials", %{conn: conn} do
+    test "verify_credentials" do
-      user = insert(:user)
+      %{user: user, conn: conn} = oauth_access(["read:accounts"])
-
+      conn = get(conn, "/api/v1/accounts/verify_credentials")
      conn =
        conn
        |> assign(:user, user)
        |> get("/api/v1/accounts/verify_credentials")
      response = json_response(conn, 200)
@ -878,25 +770,21 @@ test "verify_credentials", %{conn: conn} do
      assert id == to_string(user.id)
    end
-    test "verify_credentials default scope unlisted", %{conn: conn} do
+    test "verify_credentials default scope unlisted" do
      user = insert(:user, default_scope: "unlisted")
      %{conn: conn} = oauth_access(["read:accounts"], user: user)
-      conn =
+      conn = get(conn, "/api/v1/accounts/verify_credentials")
        conn
        |> assign(:user, user)
        |> get("/api/v1/accounts/verify_credentials")
      assert %{"id" => id, "source" => %{"privacy" => "unlisted"}} = json_response(conn, 200)
      assert id == to_string(user.id)
    end
-    test "locked accounts", %{conn: conn} do
+    test "locked accounts" do
      user = insert(:user, default_scope: "private")
      %{conn: conn} = oauth_access(["read:accounts"], user: user)
-      conn =
+      conn = get(conn, "/api/v1/accounts/verify_credentials")
        conn
        |> assign(:user, user)
        |> get("/api/v1/accounts/verify_credentials")
      assert %{"id" => id, "source" => %{"privacy" => "private"}} = json_response(conn, 200)
      assert id == to_string(user.id)
@ -904,15 +792,13 @@ test "locked accounts", %{conn: conn} do
  end
  describe "user relationships" do
-    test "returns the relationships for the current user", %{conn: conn} do
+    setup do: oauth_access(["read:follows"])
      user = insert(:user)
      other_user = insert(:user)
      {:ok, user} = User.follow(user, other_user)
-      conn =
+    test "returns the relationships for the current user", %{user: user, conn: conn} do
-        conn
+      other_user = insert(:user)
-        |> assign(:user, user)
+      {:ok, _user} = User.follow(user, other_user)
-        |> get("/api/v1/accounts/relationships", %{"id" => [other_user.id]})
+
      conn = get(conn, "/api/v1/accounts/relationships", %{"id" => [other_user.id]})
      assert [relationship] = json_response(conn, 200)
@ -920,34 +806,26 @@ test "returns the relationships for the current user", %{conn: conn} do
    end
    test "returns an empty list on a bad request", %{conn: conn} do
-      user = insert(:user)
+      conn = get(conn, "/api/v1/accounts/relationships", %{})
      conn =
        conn
        |> assign(:user, user)
        |> get("/api/v1/accounts/relationships", %{})
      assert [] = json_response(conn, 200)
    end
  end
-  test "getting a list of mutes", %{conn: conn} do
+  test "getting a list of mutes" do
-    user = insert(:user)
+    %{user: user, conn: conn} = oauth_access(["read:mutes"])
    other_user = insert(:user)
    {:ok, _user_relationships} = User.mute(user, other_user)
-    conn =
+    conn = get(conn, "/api/v1/mutes")
      conn
      |> assign(:user, user)
      |> get("/api/v1/mutes")
    other_user_id = to_string(other_user.id)
    assert [%{"id" => ^other_user_id}] = json_response(conn, 200)
  end
-  test "getting a list of blocks", %{conn: conn} do
+  test "getting a list of blocks" do
-    user = insert(:user)
+    %{user: user, conn: conn} = oauth_access(["read:blocks"])
    other_user = insert(:user)
    {:ok, _user_relationship} = User.block(user, other_user)
--- a/test/web/mastodon_api/controllers/conversation_controller_test.exs
+++ b/test/web/mastodon_api/controllers/conversation_controller_test.exs
@ -10,8 +10,9 @@ defmodule Pleroma.Web.MastodonAPI.ConversationControllerTest do
  import Pleroma.Factory
-  test "returns a list of conversations", %{conn: conn} do
+  setup do: oauth_access(["read:statuses"])
-    user_one = insert(:user)
+
  test "returns a list of conversations", %{user: user_one, conn: conn} do
    user_two = insert(:user)
    user_three = insert(:user)
@ -33,10 +34,7 @@ test "returns a list of conversations", %{conn: conn} do
        "visibility" => "private"
      })
-    res_conn =
+    res_conn = get(conn, "/api/v1/conversations")
      conn
      |> assign(:user, user_one)
      |> get("/api/v1/conversations")
    assert response = json_response(res_conn, 200)
@ -59,8 +57,7 @@ test "returns a list of conversations", %{conn: conn} do
    assert User.get_cached_by_id(user_one.id).unread_conversation_count == 0
  end
-  test "filters conversations by recipients", %{conn: conn} do
+  test "filters conversations by recipients", %{user: user_one, conn: conn} do
    user_one = insert(:user)
    user_two = insert(:user)
    user_three = insert(:user)
@ -96,7 +93,6 @@ test "filters conversations by recipients", %{conn: conn} do
    [conversation1, conversation2] =
      conn
      |> assign(:user, user_one)
      |> get("/api/v1/conversations", %{"recipients" => [user_two.id]})
      |> json_response(200)
@ -105,15 +101,13 @@ test "filters conversations by recipients", %{conn: conn} do
    [conversation1] =
      conn
      |> assign(:user, user_one)
      |> get("/api/v1/conversations", %{"recipients" => [user_two.id, user_three.id]})
      |> json_response(200)
    assert conversation1["last_status"]["id"] == direct3.id
  end
-  test "updates the last_status on reply", %{conn: conn} do
+  test "updates the last_status on reply", %{user: user_one, conn: conn} do
    user_one = insert(:user)
    user_two = insert(:user)
    {:ok, direct} =
@ -131,15 +125,13 @@ test "updates the last_status on reply", %{conn: conn} do
    [%{"last_status" => res_last_status}] =
      conn
      |> assign(:user, user_one)
      |> get("/api/v1/conversations")
      |> json_response(200)
    assert res_last_status["id"] == direct_reply.id
  end
-  test "the user marks a conversation as read", %{conn: conn} do
+  test "the user marks a conversation as read", %{user: user_one, conn: conn} do
    user_one = insert(:user)
    user_two = insert(:user)
    {:ok, direct} =
@ -151,15 +143,21 @@ test "the user marks a conversation as read", %{conn: conn} do
    assert User.get_cached_by_id(user_one.id).unread_conversation_count == 0
    assert User.get_cached_by_id(user_two.id).unread_conversation_count == 1
-    [%{"id" => direct_conversation_id, "unread" => true}] =
+    user_two_conn =
-      conn
+      build_conn()
      |> assign(:user, user_two)
      |> assign(
        :token,
        insert(:oauth_token, user: user_two, scopes: ["read:statuses", "write:conversations"])
      )
    [%{"id" => direct_conversation_id, "unread" => true}] =
      user_two_conn
      |> get("/api/v1/conversations")
      |> json_response(200)
    %{"unread" => false} =
-      conn
+      user_two_conn
      |> assign(:user, user_two)
      |> post("/api/v1/conversations/#{direct_conversation_id}/read")
      |> json_response(200)
@ -176,7 +174,6 @@ test "the user marks a conversation as read", %{conn: conn} do
    [%{"unread" => true}] =
      conn
      |> assign(:user, user_one)
      |> get("/api/v1/conversations")
      |> json_response(200)
@ -195,8 +192,7 @@ test "the user marks a conversation as read", %{conn: conn} do
    assert User.get_cached_by_id(user_two.id).unread_conversation_count == 0
  end
-  test "(vanilla) Mastodon frontend behaviour", %{conn: conn} do
+  test "(vanilla) Mastodon frontend behaviour", %{user: user_one, conn: conn} do
    user_one = insert(:user)
    user_two = insert(:user)
    {:ok, direct} =
@ -205,10 +201,7 @@ test "(vanilla) Mastodon frontend behaviour", %{conn: conn} do
        "visibility" => "direct"
      })
-    res_conn =
+    res_conn = get(conn, "/api/v1/statuses/#{direct.id}/context")
      conn
      |> assign(:user, user_one)
      |> get("/api/v1/statuses/#{direct.id}/context")
    assert %{"ancestors" => [], "descendants" => []} == json_response(res_conn, 200)
  end
--- a/test/web/mastodon_api/controllers/domain_block_controller_test.exs
+++ b/test/web/mastodon_api/controllers/domain_block_controller_test.exs
@ -9,31 +9,25 @@ defmodule Pleroma.Web.MastodonAPI.DomainBlockControllerTest do
  import Pleroma.Factory
-  test "blocking / unblocking a domain", %{conn: conn} do
+  test "blocking / unblocking a domain" do
-    user = insert(:user)
+    %{user: user, conn: conn} = oauth_access(["write:blocks"])
    other_user = insert(:user, %{ap_id: "https://dogwhistle.zone/@pundit"})
-    conn =
+    ret_conn = post(conn, "/api/v1/domain_blocks", %{"domain" => "dogwhistle.zone"})
      conn
      |> assign(:user, user)
      |> post("/api/v1/domain_blocks", %{"domain" => "dogwhistle.zone"})
-    assert %{} = json_response(conn, 200)
+    assert %{} = json_response(ret_conn, 200)
    user = User.get_cached_by_ap_id(user.ap_id)
    assert User.blocks?(user, other_user)
-    conn =
+    ret_conn = delete(conn, "/api/v1/domain_blocks", %{"domain" => "dogwhistle.zone"})
      build_conn()
      |> assign(:user, user)
      |> delete("/api/v1/domain_blocks", %{"domain" => "dogwhistle.zone"})
-    assert %{} = json_response(conn, 200)
+    assert %{} = json_response(ret_conn, 200)
    user = User.get_cached_by_ap_id(user.ap_id)
    refute User.blocks?(user, other_user)
  end
-  test "getting a list of domain blocks", %{conn: conn} do
+  test "getting a list of domain blocks" do
-    user = insert(:user)
+    %{user: user, conn: conn} = oauth_access(["read:blocks"])
    {:ok, user} = User.block_domain(user, "bad.site")
    {:ok, user} = User.block_domain(user, "even.worse.site")
--- a/test/web/mastodon_api/controllers/filter_controller_test.exs
+++ b/test/web/mastodon_api/controllers/filter_controller_test.exs
@ -7,20 +7,15 @@ defmodule Pleroma.Web.MastodonAPI.FilterControllerTest do
  alias Pleroma.Web.MastodonAPI.FilterView
-  import Pleroma.Factory
+  test "creating a filter" do
-
+    %{conn: conn} = oauth_access(["write:filters"])
  test "creating a filter", %{conn: conn} do
    user = insert(:user)
    filter = %Pleroma.Filter{
      phrase: "knights",
      context: ["home"]
    }
-    conn =
+    conn = post(conn, "/api/v1/filters", %{"phrase" => filter.phrase, context: filter.context})
      conn
      |> assign(:user, user)
      |> post("/api/v1/filters", %{"phrase" => filter.phrase, context: filter.context})
    assert response = json_response(conn, 200)
    assert response["phrase"] == filter.phrase
@ -30,8 +25,8 @@ test "creating a filter", %{conn: conn} do
    assert response["id"] != ""
  end
-  test "fetching a list of filters", %{conn: conn} do
+  test "fetching a list of filters" do
-    user = insert(:user)
+    %{user: user, conn: conn} = oauth_access(["read:filters"])
    query_one = %Pleroma.Filter{
      user_id: user.id,
@ -52,7 +47,6 @@ test "fetching a list of filters", %{conn: conn} do
    response =
      conn
      |> assign(:user, user)
      |> get("/api/v1/filters")
      |> json_response(200)
@ -64,8 +58,8 @@ test "fetching a list of filters", %{conn: conn} do
             )
  end
-  test "get a filter", %{conn: conn} do
+  test "get a filter" do
-    user = insert(:user)
+    %{user: user, conn: conn} = oauth_access(["read:filters"])
    query = %Pleroma.Filter{
      user_id: user.id,
@ -76,16 +70,13 @@ test "get a filter", %{conn: conn} do
    {:ok, filter} = Pleroma.Filter.create(query)
-    conn =
+    conn = get(conn, "/api/v1/filters/#{filter.filter_id}")
      conn
      |> assign(:user, user)
      |> get("/api/v1/filters/#{filter.filter_id}")
    assert _response = json_response(conn, 200)
  end
-  test "update a filter", %{conn: conn} do
+  test "update a filter" do
-    user = insert(:user)
+    %{user: user, conn: conn} = oauth_access(["write:filters"])
    query = %Pleroma.Filter{
      user_id: user.id,
@ -102,9 +93,7 @@ test "update a filter", %{conn: conn} do
    }
    conn =
-      conn
+      put(conn, "/api/v1/filters/#{query.filter_id}", %{
      |> assign(:user, user)
      |> put("/api/v1/filters/#{query.filter_id}", %{
        phrase: new.phrase,
        context: new.context
      })
@ -114,8 +103,8 @@ test "update a filter", %{conn: conn} do
    assert response["context"] == new.context
  end
-  test "delete a filter", %{conn: conn} do
+  test "delete a filter" do
-    user = insert(:user)
+    %{user: user, conn: conn} = oauth_access(["write:filters"])
    query = %Pleroma.Filter{
      user_id: user.id,
@ -126,10 +115,7 @@ test "delete a filter", %{conn: conn} do
    {:ok, filter} = Pleroma.Filter.create(query)
-    conn =
+    conn = delete(conn, "/api/v1/filters/#{filter.filter_id}")
      conn
      |> assign(:user, user)
      |> delete("/api/v1/filters/#{filter.filter_id}")
    assert response = json_response(conn, 200)
    assert response == %{}
--- a/test/web/mastodon_api/controllers/follow_request_controller_test.exs
+++ b/test/web/mastodon_api/controllers/follow_request_controller_test.exs
@ -11,8 +11,13 @@ defmodule Pleroma.Web.MastodonAPI.FollowRequestControllerTest do
  import Pleroma.Factory
  describe "locked accounts" do
-    test "/api/v1/follow_requests works" do
+    setup do
      user = insert(:user, locked: true)
      %{conn: conn} = oauth_access(["follow"], user: user)
      %{user: user, conn: conn}
    end
    test "/api/v1/follow_requests works", %{user: user, conn: conn} do
      other_user = insert(:user)
      {:ok, _activity} = ActivityPub.follow(other_user, user)
@ -20,17 +25,13 @@ test "/api/v1/follow_requests works" do
      assert User.following?(other_user, user) == false
-      conn =
+      conn = get(conn, "/api/v1/follow_requests")
        build_conn()
        |> assign(:user, user)
        |> get("/api/v1/follow_requests")
      assert [relationship] = json_response(conn, 200)
      assert to_string(other_user.id) == relationship["id"]
    end
-    test "/api/v1/follow_requests/:id/authorize works" do
+    test "/api/v1/follow_requests/:id/authorize works", %{user: user, conn: conn} do
      user = insert(:user, locked: true)
      other_user = insert(:user)
      {:ok, _activity} = ActivityPub.follow(other_user, user)
@ -41,10 +42,7 @@ test "/api/v1/follow_requests/:id/authorize works" do
      assert User.following?(other_user, user) == false
-      conn =
+      conn = post(conn, "/api/v1/follow_requests/#{other_user.id}/authorize")
        build_conn()
        |> assign(:user, user)
        |> post("/api/v1/follow_requests/#{other_user.id}/authorize")
      assert relationship = json_response(conn, 200)
      assert to_string(other_user.id) == relationship["id"]
@ -55,18 +53,14 @@ test "/api/v1/follow_requests/:id/authorize works" do
      assert User.following?(other_user, user) == true
    end
-    test "/api/v1/follow_requests/:id/reject works" do
+    test "/api/v1/follow_requests/:id/reject works", %{user: user, conn: conn} do
      user = insert(:user, locked: true)
      other_user = insert(:user)
      {:ok, _activity} = ActivityPub.follow(other_user, user)
      user = User.get_cached_by_id(user.id)
-      conn =
+      conn = post(conn, "/api/v1/follow_requests/#{other_user.id}/reject")
        build_conn()
        |> assign(:user, user)
        |> post("/api/v1/follow_requests/#{other_user.id}/reject")
      assert relationship = json_response(conn, 200)
      assert to_string(other_user.id) == relationship["id"]
--- a/test/web/mastodon_api/controllers/list_controller_test.exs
+++ b/test/web/mastodon_api/controllers/list_controller_test.exs
@ -9,44 +9,35 @@ defmodule Pleroma.Web.MastodonAPI.ListControllerTest do
  import Pleroma.Factory
-  test "creating a list", %{conn: conn} do
+  test "creating a list" do
-    user = insert(:user)
+    %{conn: conn} = oauth_access(["write:lists"])
-    conn =
+    conn = post(conn, "/api/v1/lists", %{"title" => "cuties"})
      conn
      |> assign(:user, user)
      |> post("/api/v1/lists", %{"title" => "cuties"})
    assert %{"title" => title} = json_response(conn, 200)
    assert title == "cuties"
  end
-  test "renders error for invalid params", %{conn: conn} do
+  test "renders error for invalid params" do
-    user = insert(:user)
+    %{conn: conn} = oauth_access(["write:lists"])
-    conn =
+    conn = post(conn, "/api/v1/lists", %{"title" => nil})
      conn
      |> assign(:user, user)
      |> post("/api/v1/lists", %{"title" => nil})
    assert %{"error" => "can't be blank"} == json_response(conn, :unprocessable_entity)
  end
-  test "listing a user's lists", %{conn: conn} do
+  test "listing a user's lists" do
-    user = insert(:user)
+    %{conn: conn} = oauth_access(["read:lists", "write:lists"])
    conn
    |> assign(:user, user)
    |> post("/api/v1/lists", %{"title" => "cuties"})
    |> json_response(:ok)
    conn
    |> assign(:user, user)
    |> post("/api/v1/lists", %{"title" => "cofe"})
    |> json_response(:ok)
-    conn =
+    conn = get(conn, "/api/v1/lists")
      conn
      |> assign(:user, user)
      |> get("/api/v1/lists")
    assert [
             %{"id" => _, "title" => "cofe"},
@ -54,41 +45,35 @@ test "listing a user's lists", %{conn: conn} do
           ] = json_response(conn, :ok)
  end
-  test "adding users to a list", %{conn: conn} do
+  test "adding users to a list" do
-    user = insert(:user)
+    %{user: user, conn: conn} = oauth_access(["write:lists"])
    other_user = insert(:user)
    {:ok, list} = Pleroma.List.create("name", user)
-    conn =
+    conn = post(conn, "/api/v1/lists/#{list.id}/accounts", %{"account_ids" => [other_user.id]})
      conn
      |> assign(:user, user)
      |> post("/api/v1/lists/#{list.id}/accounts", %{"account_ids" => [other_user.id]})
    assert %{} == json_response(conn, 200)
    %Pleroma.List{following: following} = Pleroma.List.get(list.id, user)
    assert following == [other_user.follower_address]
  end
-  test "removing users from a list", %{conn: conn} do
+  test "removing users from a list" do
-    user = insert(:user)
+    %{user: user, conn: conn} = oauth_access(["write:lists"])
    other_user = insert(:user)
    third_user = insert(:user)
    {:ok, list} = Pleroma.List.create("name", user)
    {:ok, list} = Pleroma.List.follow(list, other_user)
    {:ok, list} = Pleroma.List.follow(list, third_user)
-    conn =
+    conn = delete(conn, "/api/v1/lists/#{list.id}/accounts", %{"account_ids" => [other_user.id]})
      conn
      |> assign(:user, user)
      |> delete("/api/v1/lists/#{list.id}/accounts", %{"account_ids" => [other_user.id]})
    assert %{} == json_response(conn, 200)
    %Pleroma.List{following: following} = Pleroma.List.get(list.id, user)
    assert following == [third_user.follower_address]
  end
-  test "listing users in a list", %{conn: conn} do
+  test "listing users in a list" do
-    user = insert(:user)
+    %{user: user, conn: conn} = oauth_access(["read:lists"])
    other_user = insert(:user)
    {:ok, list} = Pleroma.List.create("name", user)
    {:ok, list} = Pleroma.List.follow(list, other_user)
@ -102,8 +87,8 @@ test "listing users in a list", %{conn: conn} do
    assert id == to_string(other_user.id)
  end
-  test "retrieving a list", %{conn: conn} do
+  test "retrieving a list" do
-    user = insert(:user)
+    %{user: user, conn: conn} = oauth_access(["read:lists"])
    {:ok, list} = Pleroma.List.create("name", user)
    conn =
@ -115,32 +100,26 @@ test "retrieving a list", %{conn: conn} do
    assert id == to_string(list.id)
  end
-  test "renders 404 if list is not found", %{conn: conn} do
+  test "renders 404 if list is not found" do
-    user = insert(:user)
+    %{conn: conn} = oauth_access(["read:lists"])
-    conn =
+    conn = get(conn, "/api/v1/lists/666")
      conn
      |> assign(:user, user)
      |> get("/api/v1/lists/666")
    assert %{"error" => "List not found"} = json_response(conn, :not_found)
  end
-  test "renaming a list", %{conn: conn} do
+  test "renaming a list" do
-    user = insert(:user)
+    %{user: user, conn: conn} = oauth_access(["write:lists"])
    {:ok, list} = Pleroma.List.create("name", user)
-    conn =
+    conn = put(conn, "/api/v1/lists/#{list.id}", %{"title" => "newname"})
      conn
      |> assign(:user, user)
      |> put("/api/v1/lists/#{list.id}", %{"title" => "newname"})
    assert %{"title" => name} = json_response(conn, 200)
    assert name == "newname"
  end
-  test "validates title when renaming a list", %{conn: conn} do
+  test "validates title when renaming a list" do
-    user = insert(:user)
+    %{user: user, conn: conn} = oauth_access(["write:lists"])
    {:ok, list} = Pleroma.List.create("name", user)
    conn =
@ -151,14 +130,11 @@ test "validates title when renaming a list", %{conn: conn} do
    assert %{"error" => "can't be blank"} == json_response(conn, :unprocessable_entity)
  end
-  test "deleting a list", %{conn: conn} do
+  test "deleting a list" do
-    user = insert(:user)
+    %{user: user, conn: conn} = oauth_access(["write:lists"])
    {:ok, list} = Pleroma.List.create("name", user)
-    conn =
+    conn = delete(conn, "/api/v1/lists/#{list.id}")
      conn
      |> assign(:user, user)
      |> delete("/api/v1/lists/#{list.id}")
    assert %{} = json_response(conn, 200)
    assert is_nil(Repo.get(Pleroma.List, list.id))
--- a/test/web/mastodon_api/controllers/media_controller_test.exs
+++ b/test/web/mastodon_api/controllers/media_controller_test.exs
@ -9,23 +9,17 @@ defmodule Pleroma.Web.MastodonAPI.MediaControllerTest do
  alias Pleroma.User
  alias Pleroma.Web.ActivityPub.ActivityPub
-  import Pleroma.Factory
+  setup do: oauth_access(["write:media"])
  describe "media upload" do
    setup do
      user = insert(:user)
      conn =
        build_conn()
        |> assign(:user, user)
      image = %Plug.Upload{
        content_type: "image/jpg",
        path: Path.absname("test/fixtures/image.jpg"),
        filename: "an_image.jpg"
      }
-      [conn: conn, image: image]
+      [image: image]
    end
    clear_config([:media_proxy])
@ -49,9 +43,7 @@ test "returns uploaded image", %{conn: conn, image: image} do
  end
  describe "PUT /api/v1/media/:id" do
-    setup do
+    setup %{user: actor} do
      actor = insert(:user)
      file = %Plug.Upload{
        content_type: "image/jpg",
        path: Path.absname("test/fixtures/image.jpg"),
@ -65,13 +57,12 @@ test "returns uploaded image", %{conn: conn, image: image} do
          description: "test-m"
        )
-      [actor: actor, object: object]
+      [object: object]
    end
-    test "updates name of media", %{conn: conn, actor: actor, object: object} do
+    test "updates name of media", %{conn: conn, object: object} do
      media =
        conn
        |> assign(:user, actor)
        |> put("/api/v1/media/#{object.id}", %{"description" => "test-media"})
        |> json_response(:ok)
@ -79,10 +70,9 @@ test "updates name of media", %{conn: conn, actor: actor, object: object} do
      assert refresh_record(object).data["name"] == "test-media"
    end
-    test "returns error wheb request is bad", %{conn: conn, actor: actor, object: object} do
+    test "returns error when request is bad", %{conn: conn, object: object} do
      media =
        conn
        |> assign(:user, actor)
        |> put("/api/v1/media/#{object.id}", %{})
        |> json_response(400)
--- a/test/web/mastodon_api/controllers/notification_controller_test.exs
+++ b/test/web/mastodon_api/controllers/notification_controller_test.exs
@ -12,8 +12,8 @@ defmodule Pleroma.Web.MastodonAPI.NotificationControllerTest do
  import Pleroma.Factory
-  test "list of notifications", %{conn: conn} do
+  test "list of notifications" do
-    user = insert(:user)
+    %{user: user, conn: conn} = oauth_access(["read:notifications"])
    other_user = insert(:user)
    {:ok, activity} = CommonAPI.post(other_user, %{"status" => "hi @#{user.nickname}"})
@ -34,18 +34,15 @@ test "list of notifications", %{conn: conn} do
    assert response == expected_response
  end
-  test "getting a single notification", %{conn: conn} do
+  test "getting a single notification" do
-    user = insert(:user)
+    %{user: user, conn: conn} = oauth_access(["read:notifications"])
    other_user = insert(:user)
    {:ok, activity} = CommonAPI.post(other_user, %{"status" => "hi @#{user.nickname}"})
    {:ok, [notification]} = Notification.create_notifications(activity)
-    conn =
+    conn = get(conn, "/api/v1/notifications/#{notification.id}")
      conn
      |> assign(:user, user)
      |> get("/api/v1/notifications/#{notification.id}")
    expected_response =
      "hi <span class=\"h-card\"><a data-user=\"#{user.id}\" class=\"u-url mention\" href=\"#{
@ -56,8 +53,8 @@ test "getting a single notification", %{conn: conn} do
    assert response == expected_response
  end
-  test "dismissing a single notification", %{conn: conn} do
+  test "dismissing a single notification" do
-    user = insert(:user)
+    %{user: user, conn: conn} = oauth_access(["write:notifications"])
    other_user = insert(:user)
    {:ok, activity} = CommonAPI.post(other_user, %{"status" => "hi @#{user.nickname}"})
@ -72,32 +69,26 @@ test "dismissing a single notification", %{conn: conn} do
    assert %{} = json_response(conn, 200)
  end
-  test "clearing all notifications", %{conn: conn} do
+  test "clearing all notifications" do
-    user = insert(:user)
+    %{user: user, conn: conn} = oauth_access(["write:notifications", "read:notifications"])
    other_user = insert(:user)
    {:ok, activity} = CommonAPI.post(other_user, %{"status" => "hi @#{user.nickname}"})
    {:ok, [_notification]} = Notification.create_notifications(activity)
-    conn =
+    ret_conn = post(conn, "/api/v1/notifications/clear")
      conn
      |> assign(:user, user)
      |> post("/api/v1/notifications/clear")
-    assert %{} = json_response(conn, 200)
+    assert %{} = json_response(ret_conn, 200)
-    conn =
+    ret_conn = get(conn, "/api/v1/notifications")
      build_conn()
      |> assign(:user, user)
      |> get("/api/v1/notifications")
-    assert all = json_response(conn, 200)
+    assert all = json_response(ret_conn, 200)
    assert all == []
  end
-  test "paginates notifications using min_id, since_id, max_id, and limit", %{conn: conn} do
+  test "paginates notifications using min_id, since_id, max_id, and limit" do
-    user = insert(:user)
+    %{user: user, conn: conn} = oauth_access(["read:notifications"])
    other_user = insert(:user)
    {:ok, activity1} = CommonAPI.post(other_user, %{"status" => "hi @#{user.nickname}"})
@ -138,8 +129,8 @@ test "paginates notifications using min_id, since_id, max_id, and limit", %{conn
  end
  describe "exclude_visibilities" do
-    test "filters notifications for mentions", %{conn: conn} do
+    test "filters notifications for mentions" do
-      user = insert(:user)
+      %{user: user, conn: conn} = oauth_access(["read:notifications"])
      other_user = insert(:user)
      {:ok, public_activity} =
@ -154,8 +145,6 @@ test "filters notifications for mentions", %{conn: conn} do
      {:ok, private_activity} =
        CommonAPI.post(other_user, %{"status" => "@#{user.nickname}", "visibility" => "private"})
      conn = assign(conn, :user, user)
      conn_res =
        get(conn, "/api/v1/notifications", %{
          exclude_visibilities: ["public", "unlisted", "private"]
@ -189,9 +178,9 @@ test "filters notifications for mentions", %{conn: conn} do
      assert id == public_activity.id
    end
-    test "filters notifications for Like activities", %{conn: conn} do
+    test "filters notifications for Like activities" do
      user = insert(:user)
-      other_user = insert(:user)
+      %{user: other_user, conn: conn} = oauth_access(["read:notifications"])
      {:ok, public_activity} =
        CommonAPI.post(other_user, %{"status" => ".", "visibility" => "public"})
@ -212,7 +201,6 @@ test "filters notifications for Like activities", %{conn: conn} do
      activity_ids =
        conn
        |> assign(:user, other_user)
        |> get("/api/v1/notifications", %{exclude_visibilities: ["direct"]})
        |> json_response(200)
        |> Enum.map(& &1["status"]["id"])
@ -224,7 +212,6 @@ test "filters notifications for Like activities", %{conn: conn} do
      activity_ids =
        conn
        |> assign(:user, other_user)
        |> get("/api/v1/notifications", %{exclude_visibilities: ["unlisted"]})
        |> json_response(200)
        |> Enum.map(& &1["status"]["id"])
@ -236,7 +223,6 @@ test "filters notifications for Like activities", %{conn: conn} do
      activity_ids =
        conn
        |> assign(:user, other_user)
        |> get("/api/v1/notifications", %{exclude_visibilities: ["private"]})
        |> json_response(200)
        |> Enum.map(& &1["status"]["id"])
@ -248,7 +234,6 @@ test "filters notifications for Like activities", %{conn: conn} do
      activity_ids =
        conn
        |> assign(:user, other_user)
        |> get("/api/v1/notifications", %{exclude_visibilities: ["public"]})
        |> json_response(200)
        |> Enum.map(& &1["status"]["id"])
@ -259,9 +244,9 @@ test "filters notifications for Like activities", %{conn: conn} do
      assert direct_activity.id in activity_ids
    end
-    test "filters notifications for Announce activities", %{conn: conn} do
+    test "filters notifications for Announce activities" do
      user = insert(:user)
-      other_user = insert(:user)
+      %{user: other_user, conn: conn} = oauth_access(["read:notifications"])
      {:ok, public_activity} =
        CommonAPI.post(other_user, %{"status" => ".", "visibility" => "public"})
@ -274,7 +259,6 @@ test "filters notifications for Announce activities", %{conn: conn} do
      activity_ids =
        conn
        |> assign(:user, other_user)
        |> get("/api/v1/notifications", %{exclude_visibilities: ["unlisted"]})
        |> json_response(200)
        |> Enum.map(& &1["status"]["id"])
@ -284,8 +268,8 @@ test "filters notifications for Announce activities", %{conn: conn} do
    end
  end
-  test "filters notifications using exclude_types", %{conn: conn} do
+  test "filters notifications using exclude_types" do
-    user = insert(:user)
+    %{user: user, conn: conn} = oauth_access(["read:notifications"])
    other_user = insert(:user)
    {:ok, mention_activity} = CommonAPI.post(other_user, %{"status" => "hey @#{user.nickname}"})
@ -299,8 +283,6 @@ test "filters notifications using exclude_types", %{conn: conn} do
    reblog_notification_id = get_notification_id_by_activity(reblog_activity)
    follow_notification_id = get_notification_id_by_activity(follow_activity)
    conn = assign(conn, :user, user)
    conn_res =
      get(conn, "/api/v1/notifications", %{exclude_types: ["mention", "favourite", "reblog"]})
@ -322,8 +304,8 @@ test "filters notifications using exclude_types", %{conn: conn} do
    assert [%{"id" => ^reblog_notification_id}] = json_response(conn_res, 200)
  end
-  test "destroy multiple", %{conn: conn} do
+  test "destroy multiple" do
-    user = insert(:user)
+    %{user: user, conn: conn} = oauth_access(["read:notifications", "write:notifications"])
    other_user = insert(:user)
    {:ok, activity1} = CommonAPI.post(other_user, %{"status" => "hi @#{user.nickname}"})
@ -336,8 +318,6 @@ test "destroy multiple", %{conn: conn} do
    notification3_id = get_notification_id_by_activity(activity3)
    notification4_id = get_notification_id_by_activity(activity4)
    conn = assign(conn, :user, user)
    result =
      conn
      |> get("/api/v1/notifications")
@ -348,6 +328,7 @@ test "destroy multiple", %{conn: conn} do
    conn2 =
      conn
      |> assign(:user, other_user)
      |> assign(:token, insert(:oauth_token, user: other_user, scopes: ["read:notifications"]))
    result =
      conn2
@ -372,97 +353,110 @@ test "destroy multiple", %{conn: conn} do
    assert [%{"id" => ^notification4_id}, %{"id" => ^notification3_id}] = result
  end
-  test "doesn't see notifications after muting user with notifications", %{conn: conn} do
+  test "doesn't see notifications after muting user with notifications" do
-    user = insert(:user)
+    %{user: user, conn: conn} = oauth_access(["read:notifications"])
    user2 = insert(:user)
    {:ok, _, _, _} = CommonAPI.follow(user, user2)
    {:ok, _} = CommonAPI.post(user2, %{"status" => "hey @#{user.nickname}"})
-    conn = assign(conn, :user, user)
+    ret_conn = get(conn, "/api/v1/notifications")
-    conn = get(conn, "/api/v1/notifications")
+    assert length(json_response(ret_conn, 200)) == 1
    assert length(json_response(conn, 200)) == 1
    {:ok, _user_relationships} = User.mute(user, user2)
    conn = assign(build_conn(), :user, user)
    conn = get(conn, "/api/v1/notifications")
    assert json_response(conn, 200) == []
  end
-  test "see notifications after muting user without notifications", %{conn: conn} do
+  test "see notifications after muting user without notifications" do
-    user = insert(:user)
+    %{user: user, conn: conn} = oauth_access(["read:notifications"])
    user2 = insert(:user)
    {:ok, _, _, _} = CommonAPI.follow(user, user2)
    {:ok, _} = CommonAPI.post(user2, %{"status" => "hey @#{user.nickname}"})
-    conn = assign(conn, :user, user)
+    ret_conn = get(conn, "/api/v1/notifications")
-    conn = get(conn, "/api/v1/notifications")
+    assert length(json_response(ret_conn, 200)) == 1
    assert length(json_response(conn, 200)) == 1
    {:ok, _user_relationships} = User.mute(user, user2, false)
    conn = assign(build_conn(), :user, user)
    conn = get(conn, "/api/v1/notifications")
    assert length(json_response(conn, 200)) == 1
  end
-  test "see notifications after muting user with notifications and with_muted parameter", %{
+  test "see notifications after muting user with notifications and with_muted parameter" do
-    conn: conn
+    %{user: user, conn: conn} = oauth_access(["read:notifications"])
  } do
    user = insert(:user)
    user2 = insert(:user)
    {:ok, _, _, _} = CommonAPI.follow(user, user2)
    {:ok, _} = CommonAPI.post(user2, %{"status" => "hey @#{user.nickname}"})
-    conn = assign(conn, :user, user)
+    ret_conn = get(conn, "/api/v1/notifications")
-    conn = get(conn, "/api/v1/notifications")
+    assert length(json_response(ret_conn, 200)) == 1
    assert length(json_response(conn, 200)) == 1
    {:ok, _user_relationships} = User.mute(user, user2)
    conn = assign(build_conn(), :user, user)
    conn = get(conn, "/api/v1/notifications", %{"with_muted" => "true"})
    assert length(json_response(conn, 200)) == 1
  end
-  test "see move notifications with `with_move` parameter", %{
+  test "see move notifications with `with_move` parameter" do
    conn: conn
  } do
    old_user = insert(:user)
    new_user = insert(:user, also_known_as: [old_user.ap_id])
-    follower = insert(:user)
+    %{user: follower, conn: conn} = oauth_access(["read:notifications"])
    User.follow(follower, old_user)
    Pleroma.Web.ActivityPub.ActivityPub.move(old_user, new_user)
    Pleroma.Tests.ObanHelpers.perform_all()
-    conn =
+    ret_conn = get(conn, "/api/v1/notifications")
      conn
      |> assign(:user, follower)
      |> get("/api/v1/notifications")
-    assert json_response(conn, 200) == []
+    assert json_response(ret_conn, 200) == []
-    conn =
+    conn = get(conn, "/api/v1/notifications", %{"with_move" => "true"})
      build_conn()
      |> assign(:user, follower)
      |> get("/api/v1/notifications", %{"with_move" => "true"})
    assert length(json_response(conn, 200)) == 1
  end
  describe "link headers" do
    test "preserves parameters in link headers" do
      %{user: user, conn: conn} = oauth_access(["read:notifications"])
      other_user = insert(:user)
      {:ok, activity1} =
        CommonAPI.post(other_user, %{
          "status" => "hi @#{user.nickname}",
          "visibility" => "public"
        })
      {:ok, activity2} =
        CommonAPI.post(other_user, %{
          "status" => "hi @#{user.nickname}",
          "visibility" => "public"
        })
      notification1 = Repo.get_by(Notification, activity_id: activity1.id)
      notification2 = Repo.get_by(Notification, activity_id: activity2.id)
      conn =
        conn
        |> assign(:user, user)
        |> get("/api/v1/notifications", %{media_only: true})
      assert [link_header] = get_resp_header(conn, "link")
      assert link_header =~ ~r/media_only=true/
      assert link_header =~ ~r/min_id=#{notification2.id}/
      assert link_header =~ ~r/max_id=#{notification1.id}/
    end
  end
  defp get_notification_id_by_activity(%{id: id}) do
    Notification
    |> Repo.get_by(activity_id: id)
--- a/test/web/mastodon_api/controllers/poll_controller_test.exs
+++ b/test/web/mastodon_api/controllers/poll_controller_test.exs
@ -11,9 +11,9 @@ defmodule Pleroma.Web.MastodonAPI.PollControllerTest do
  import Pleroma.Factory
  describe "GET /api/v1/polls/:id" do
-    test "returns poll entity for object id", %{conn: conn} do
+    setup do: oauth_access(["read:statuses"])
      user = insert(:user)
    test "returns poll entity for object id", %{user: user, conn: conn} do
      {:ok, activity} =
        CommonAPI.post(user, %{
          "status" => "Pleroma does",
@ -22,10 +22,7 @@ test "returns poll entity for object id", %{conn: conn} do
      object = Object.normalize(activity)
-      conn =
+      conn = get(conn, "/api/v1/polls/#{object.id}")
        conn
        |> assign(:user, user)
        |> get("/api/v1/polls/#{object.id}")
      response = json_response(conn, 200)
      id = to_string(object.id)
@ -33,11 +30,10 @@ test "returns poll entity for object id", %{conn: conn} do
    end
    test "does not expose polls for private statuses", %{conn: conn} do
      user = insert(:user)
      other_user = insert(:user)
      {:ok, activity} =
-        CommonAPI.post(user, %{
+        CommonAPI.post(other_user, %{
          "status" => "Pleroma does",
          "poll" => %{"options" => ["what Mastodon't", "n't what Mastodoes"], "expires_in" => 20},
          "visibility" => "private"
@ -45,22 +41,20 @@ test "does not expose polls for private statuses", %{conn: conn} do
      object = Object.normalize(activity)
-      conn =
+      conn = get(conn, "/api/v1/polls/#{object.id}")
        conn
        |> assign(:user, other_user)
        |> get("/api/v1/polls/#{object.id}")
      assert json_response(conn, 404)
    end
  end
  describe "POST /api/v1/polls/:id/votes" do
    setup do: oauth_access(["write:statuses"])
    test "votes are added to the poll", %{conn: conn} do
      user = insert(:user)
      other_user = insert(:user)
      {:ok, activity} =
-        CommonAPI.post(user, %{
+        CommonAPI.post(other_user, %{
          "status" => "A very delicious sandwich",
          "poll" => %{
            "options" => ["Lettuce", "Grilled Bacon", "Tomato"],
@ -71,10 +65,7 @@ test "votes are added to the poll", %{conn: conn} do
      object = Object.normalize(activity)
-      conn =
+      conn = post(conn, "/api/v1/polls/#{object.id}/votes", %{"choices" => [0, 1, 2]})
        conn
        |> assign(:user, other_user)
        |> post("/api/v1/polls/#{object.id}/votes", %{"choices" => [0, 1, 2]})
      assert json_response(conn, 200)
      object = Object.get_by_id(object.id)
@ -84,9 +75,7 @@ test "votes are added to the poll", %{conn: conn} do
             end)
    end
-    test "author can't vote", %{conn: conn} do
+    test "author can't vote", %{user: user, conn: conn} do
      user = insert(:user)
      {:ok, activity} =
        CommonAPI.post(user, %{
          "status" => "Am I cute?",
@ -96,7 +85,6 @@ test "author can't vote", %{conn: conn} do
      object = Object.normalize(activity)
      assert conn
             |> assign(:user, user)
             |> post("/api/v1/polls/#{object.id}/votes", %{"choices" => [1]})
             |> json_response(422) == %{"error" => "Poll's author can't vote"}
@ -106,11 +94,10 @@ test "author can't vote", %{conn: conn} do
    end
    test "does not allow multiple choices on a single-choice question", %{conn: conn} do
      user = insert(:user)
      other_user = insert(:user)
      {:ok, activity} =
-        CommonAPI.post(user, %{
+        CommonAPI.post(other_user, %{
          "status" => "The glass is",
          "poll" => %{"options" => ["half empty", "half full"], "expires_in" => 20}
        })
@ -118,7 +105,6 @@ test "does not allow multiple choices on a single-choice question", %{conn: conn
      object = Object.normalize(activity)
      assert conn
             |> assign(:user, other_user)
             |> post("/api/v1/polls/#{object.id}/votes", %{"choices" => [0, 1]})
             |> json_response(422) == %{"error" => "Too many choices"}
@ -130,42 +116,32 @@ test "does not allow multiple choices on a single-choice question", %{conn: conn
    end
    test "does not allow choice index to be greater than options count", %{conn: conn} do
      user = insert(:user)
      other_user = insert(:user)
      {:ok, activity} =
-        CommonAPI.post(user, %{
+        CommonAPI.post(other_user, %{
          "status" => "Am I cute?",
          "poll" => %{"options" => ["Yes", "No"], "expires_in" => 20}
        })
      object = Object.normalize(activity)
-      conn =
+      conn = post(conn, "/api/v1/polls/#{object.id}/votes", %{"choices" => [2]})
        conn
        |> assign(:user, other_user)
        |> post("/api/v1/polls/#{object.id}/votes", %{"choices" => [2]})
      assert json_response(conn, 422) == %{"error" => "Invalid indices"}
    end
    test "returns 404 error when object is not exist", %{conn: conn} do
-      user = insert(:user)
+      conn = post(conn, "/api/v1/polls/1/votes", %{"choices" => [0]})
      conn =
        conn
        |> assign(:user, user)
        |> post("/api/v1/polls/1/votes", %{"choices" => [0]})
      assert json_response(conn, 404) == %{"error" => "Record not found"}
    end
    test "returns 404 when poll is private and not available for user", %{conn: conn} do
      user = insert(:user)
      other_user = insert(:user)
      {:ok, activity} =
-        CommonAPI.post(user, %{
+        CommonAPI.post(other_user, %{
          "status" => "Am I cute?",
          "poll" => %{"options" => ["Yes", "No"], "expires_in" => 20},
          "visibility" => "private"
@ -173,10 +149,7 @@ test "returns 404 when poll is private and not available for user", %{conn: conn
      object = Object.normalize(activity)
-      conn =
+      conn = post(conn, "/api/v1/polls/#{object.id}/votes", %{"choices" => [0]})
        conn
        |> assign(:user, other_user)
        |> post("/api/v1/polls/#{object.id}/votes", %{"choices" => [0]})
      assert json_response(conn, 404) == %{"error" => "Record not found"}
    end
--- a/test/web/mastodon_api/controllers/report_controller_test.exs
+++ b/test/web/mastodon_api/controllers/report_controller_test.exs
@ -9,32 +9,30 @@ defmodule Pleroma.Web.MastodonAPI.ReportControllerTest do
  import Pleroma.Factory
  setup do: oauth_access(["write:reports"])
  setup do
    reporter = insert(:user)
    target_user = insert(:user)
    {:ok, activity} = CommonAPI.post(target_user, %{"status" => "foobar"})
-    [reporter: reporter, target_user: target_user, activity: activity]
+    [target_user: target_user, activity: activity]
  end
-  test "submit a basic report", %{conn: conn, reporter: reporter, target_user: target_user} do
+  test "submit a basic report", %{conn: conn, target_user: target_user} do
    assert %{"action_taken" => false, "id" => _} =
             conn
             |> assign(:user, reporter)
             |> post("/api/v1/reports", %{"account_id" => target_user.id})
             |> json_response(200)
  end
  test "submit a report with statuses and comment", %{
    conn: conn,
    reporter: reporter,
    target_user: target_user,
    activity: activity
  } do
    assert %{"action_taken" => false, "id" => _} =
             conn
             |> assign(:user, reporter)
             |> post("/api/v1/reports", %{
               "account_id" => target_user.id,
               "status_ids" => [activity.id],
@ -46,19 +44,16 @@ test "submit a report with statuses and comment", %{
  test "account_id is required", %{
    conn: conn,
    reporter: reporter,
    activity: activity
  } do
    assert %{"error" => "Valid `account_id` required"} =
             conn
             |> assign(:user, reporter)
             |> post("/api/v1/reports", %{"status_ids" => [activity.id]})
             |> json_response(400)
  end
  test "comment must be up to the size specified in the config", %{
    conn: conn,
    reporter: reporter,
    target_user: target_user
  } do
    max_size = Pleroma.Config.get([:instance, :max_report_comment_size], 1000)
@ -68,20 +63,15 @@ test "comment must be up to the size specified in the config", %{
    assert ^error =
             conn
             |> assign(:user, reporter)
             |> post("/api/v1/reports", %{"account_id" => target_user.id, "comment" => comment})
             |> json_response(400)
  end
  test "returns error when account is not exist", %{
    conn: conn,
    reporter: reporter,
    activity: activity
  } do
-    conn =
+    conn = post(conn, "/api/v1/reports", %{"status_ids" => [activity.id], "account_id" => "foo"})
      conn
      |> assign(:user, reporter)
      |> post("/api/v1/reports", %{"status_ids" => [activity.id], "account_id" => "foo"})
    assert json_response(conn, 400) == %{"error" => "Account not found"}
  end
--- a/test/web/mastodon_api/controllers/scheduled_activity_controller_test.exs
+++ b/test/web/mastodon_api/controllers/scheduled_activity_controller_test.exs
@ -10,89 +10,69 @@ defmodule Pleroma.Web.MastodonAPI.ScheduledActivityControllerTest do
  import Pleroma.Factory
-  test "shows scheduled activities", %{conn: conn} do
+  test "shows scheduled activities" do
-    user = insert(:user)
+    %{user: user, conn: conn} = oauth_access(["read:statuses"])
    scheduled_activity_id1 = insert(:scheduled_activity, user: user).id |> to_string()
    scheduled_activity_id2 = insert(:scheduled_activity, user: user).id |> to_string()
    scheduled_activity_id3 = insert(:scheduled_activity, user: user).id |> to_string()
    scheduled_activity_id4 = insert(:scheduled_activity, user: user).id |> to_string()
    conn =
      conn
      |> assign(:user, user)
    # min_id
-    conn_res =
+    conn_res = get(conn, "/api/v1/scheduled_statuses?limit=2&min_id=#{scheduled_activity_id1}")
      conn
      |> get("/api/v1/scheduled_statuses?limit=2&min_id=#{scheduled_activity_id1}")
    result = json_response(conn_res, 200)
    assert [%{"id" => ^scheduled_activity_id3}, %{"id" => ^scheduled_activity_id2}] = result
    # since_id
-    conn_res =
+    conn_res = get(conn, "/api/v1/scheduled_statuses?limit=2&since_id=#{scheduled_activity_id1}")
      conn
      |> get("/api/v1/scheduled_statuses?limit=2&since_id=#{scheduled_activity_id1}")
    result = json_response(conn_res, 200)
    assert [%{"id" => ^scheduled_activity_id4}, %{"id" => ^scheduled_activity_id3}] = result
    # max_id
-    conn_res =
+    conn_res = get(conn, "/api/v1/scheduled_statuses?limit=2&max_id=#{scheduled_activity_id4}")
      conn
      |> get("/api/v1/scheduled_statuses?limit=2&max_id=#{scheduled_activity_id4}")
    result = json_response(conn_res, 200)
    assert [%{"id" => ^scheduled_activity_id3}, %{"id" => ^scheduled_activity_id2}] = result
  end
-  test "shows a scheduled activity", %{conn: conn} do
+  test "shows a scheduled activity" do
-    user = insert(:user)
+    %{user: user, conn: conn} = oauth_access(["read:statuses"])
    scheduled_activity = insert(:scheduled_activity, user: user)
-    res_conn =
+    res_conn = get(conn, "/api/v1/scheduled_statuses/#{scheduled_activity.id}")
      conn
      |> assign(:user, user)
      |> get("/api/v1/scheduled_statuses/#{scheduled_activity.id}")
    assert %{"id" => scheduled_activity_id} = json_response(res_conn, 200)
    assert scheduled_activity_id == scheduled_activity.id |> to_string()
-    res_conn =
+    res_conn = get(conn, "/api/v1/scheduled_statuses/404")
      conn
      |> assign(:user, user)
      |> get("/api/v1/scheduled_statuses/404")
    assert %{"error" => "Record not found"} = json_response(res_conn, 404)
  end
-  test "updates a scheduled activity", %{conn: conn} do
+  test "updates a scheduled activity" do
-    user = insert(:user)
+    %{user: user, conn: conn} = oauth_access(["write:statuses"])
    scheduled_activity = insert(:scheduled_activity, user: user)
    new_scheduled_at =
      NaiveDateTime.add(NaiveDateTime.utc_now(), :timer.minutes(120), :millisecond)
    res_conn =
-      conn
+      put(conn, "/api/v1/scheduled_statuses/#{scheduled_activity.id}", %{
      |> assign(:user, user)
      |> put("/api/v1/scheduled_statuses/#{scheduled_activity.id}", %{
        scheduled_at: new_scheduled_at
      })
    assert %{"scheduled_at" => expected_scheduled_at} = json_response(res_conn, 200)
    assert expected_scheduled_at == Pleroma.Web.CommonAPI.Utils.to_masto_date(new_scheduled_at)
-    res_conn =
+    res_conn = put(conn, "/api/v1/scheduled_statuses/404", %{scheduled_at: new_scheduled_at})
      conn
      |> assign(:user, user)
      |> put("/api/v1/scheduled_statuses/404", %{scheduled_at: new_scheduled_at})
    assert %{"error" => "Record not found"} = json_response(res_conn, 404)
  end
-  test "deletes a scheduled activity", %{conn: conn} do
+  test "deletes a scheduled activity" do
-    user = insert(:user)
+    %{user: user, conn: conn} = oauth_access(["write:statuses"])
    scheduled_activity = insert(:scheduled_activity, user: user)
    res_conn =
--- a/test/web/mastodon_api/controllers/search_controller_test.exs
+++ b/test/web/mastodon_api/controllers/search_controller_test.exs
@ -77,13 +77,11 @@ test "search", %{conn: conn} do
  describe ".account_search" do
    test "account search", %{conn: conn} do
      user = insert(:user)
      user_two = insert(:user, %{nickname: "shp@shitposter.club"})
      user_three = insert(:user, %{nickname: "shp@heldscal.la", name: "I love 2hu"})
      results =
        conn
        |> assign(:user, user)
        |> get("/api/v1/accounts/search", %{"q" => "shp"})
        |> json_response(200)
@ -94,7 +92,6 @@ test "account search", %{conn: conn} do
      results =
        conn
        |> assign(:user, user)
        |> get("/api/v1/accounts/search", %{"q" => "2hu"})
        |> json_response(200)
@ -104,11 +101,10 @@ test "account search", %{conn: conn} do
    end
    test "returns account if query contains a space", %{conn: conn} do
-      user = insert(:user, %{nickname: "shp@shitposter.club"})
+      insert(:user, %{nickname: "shp@shitposter.club"})
      results =
        conn
        |> assign(:user, user)
        |> get("/api/v1/accounts/search", %{"q" => "shp@shitposter.club xxx "})
        |> json_response(200)
@ -209,6 +205,7 @@ test "search fetches remote accounts", %{conn: conn} do
      conn =
        conn
        |> assign(:user, user)
        |> assign(:token, insert(:oauth_token, user: user, scopes: ["read"]))
        |> get("/api/v1/search", %{"q" => "mike@osada.macgirvin.com", "resolve" => "true"})
      assert results = json_response(conn, 200)
--- a/test/web/mastodon_api/controllers/suggestion_controller_test.exs
+++ b/test/web/mastodon_api/controllers/suggestion_controller_test.exs
@ -11,8 +11,9 @@ defmodule Pleroma.Web.MastodonAPI.SuggestionControllerTest do
  import Pleroma.Factory
  import Tesla.Mock
-  setup do
+  setup do: oauth_access(["read"])
-    user = insert(:user)
+
  setup %{user: user} do
    other_user = insert(:user)
    host = Config.get([Pleroma.Web.Endpoint, :url, :host])
    url500 = "http://test500?#{host}&#{user.nickname}"
@ -32,31 +33,29 @@ defmodule Pleroma.Web.MastodonAPI.SuggestionControllerTest do
        }
    end)
-    [user: user, other_user: other_user]
+    [other_user: other_user]
  end
  clear_config(:suggestions)
-  test "returns empty result when suggestions disabled", %{conn: conn, user: user} do
+  test "returns empty result when suggestions disabled", %{conn: conn} do
    Config.put([:suggestions, :enabled], false)
    res =
      conn
      |> assign(:user, user)
      |> get("/api/v1/suggestions")
      |> json_response(200)
    assert res == []
  end
-  test "returns error", %{conn: conn, user: user} do
+  test "returns error", %{conn: conn} do
    Config.put([:suggestions, :enabled], true)
    Config.put([:suggestions, :third_party_engine], "http://test500?{{host}}&{{user}}")
    assert capture_log(fn ->
             res =
               conn
               |> assign(:user, user)
               |> get("/api/v1/suggestions")
               |> json_response(500)
@ -64,13 +63,12 @@ test "returns error", %{conn: conn, user: user} do
           end) =~ "Could not retrieve suggestions"
  end
-  test "returns suggestions", %{conn: conn, user: user, other_user: other_user} do
+  test "returns suggestions", %{conn: conn, other_user: other_user} do
    Config.put([:suggestions, :enabled], true)
    Config.put([:suggestions, :third_party_engine], "http://test200?{{host}}&{{user}}")
    res =
      conn
      |> assign(:user, user)
      |> get("/api/v1/suggestions")
      |> json_response(200)
--- a/test/web/mastodon_api/controllers/timeline_controller_test.exs
+++ b/test/web/mastodon_api/controllers/timeline_controller_test.exs
@ -20,31 +20,25 @@ defmodule Pleroma.Web.MastodonAPI.TimelineControllerTest do
  end
  describe "home" do
-    test "the home timeline", %{conn: conn} do
+    setup do: oauth_access(["read:statuses"])
-      user = insert(:user)
+
    test "the home timeline", %{user: user, conn: conn} do
      following = insert(:user)
      {:ok, _activity} = CommonAPI.post(following, %{"status" => "test"})
-      conn =
+      ret_conn = get(conn, "/api/v1/timelines/home")
        conn
        |> assign(:user, user)
        |> get("/api/v1/timelines/home")
-      assert Enum.empty?(json_response(conn, :ok))
+      assert Enum.empty?(json_response(ret_conn, :ok))
-      {:ok, user} = User.follow(user, following)
+      {:ok, _user} = User.follow(user, following)
-      conn =
+      conn = get(conn, "/api/v1/timelines/home")
        build_conn()
        |> assign(:user, user)
        |> get("/api/v1/timelines/home")
      assert [%{"content" => "test"}] = json_response(conn, :ok)
    end
-    test "the home timeline when the direct messages are excluded", %{conn: conn} do
+    test "the home timeline when the direct messages are excluded", %{user: user, conn: conn} do
      user = insert(:user)
      {:ok, public_activity} = CommonAPI.post(user, %{"status" => ".", "visibility" => "public"})
      {:ok, direct_activity} = CommonAPI.post(user, %{"status" => ".", "visibility" => "direct"})
@ -54,10 +48,7 @@ test "the home timeline when the direct messages are excluded", %{conn: conn} do
      {:ok, private_activity} =
        CommonAPI.post(user, %{"status" => ".", "visibility" => "private"})
-      conn =
+      conn = get(conn, "/api/v1/timelines/home", %{"exclude_visibilities" => ["direct"]})
        conn
        |> assign(:user, user)
        |> get("/api/v1/timelines/home", %{"exclude_visibilities" => ["direct"]})
      assert status_ids = json_response(conn, :ok) |> Enum.map(& &1["id"])
      assert public_activity.id in status_ids
@ -99,11 +90,7 @@ test "the public timeline when public is set to false", %{conn: conn} do
    end
    test "the public timeline includes only public statuses for an authenticated user" do
-      user = insert(:user)
+      %{user: user, conn: conn} = oauth_access(["read:statuses"])
      conn =
        build_conn()
        |> assign(:user, user)
      {:ok, _activity} = CommonAPI.post(user, %{"status" => "test"})
      {:ok, _activity} = CommonAPI.post(user, %{"status" => "test", "visibility" => "private"})
@ -134,11 +121,13 @@ test "direct timeline", %{conn: conn} do
          "visibility" => "private"
        })
-      # Only direct should be visible here
+      conn_user_two =
      res_conn =
        conn
        |> assign(:user, user_two)
-        |> get("api/v1/timelines/direct")
+        |> assign(:token, insert(:oauth_token, user: user_two, scopes: ["read:statuses"]))
      # Only direct should be visible here
      res_conn = get(conn_user_two, "api/v1/timelines/direct")
      [status] = json_response(res_conn, :ok)
@ -149,6 +138,7 @@ test "direct timeline", %{conn: conn} do
      res_conn =
        build_conn()
        |> assign(:user, user_one)
        |> assign(:token, insert(:oauth_token, user: user_one, scopes: ["read:statuses"]))
        |> get("api/v1/timelines/direct")
      [status] = json_response(res_conn, :ok)
@ -156,10 +146,7 @@ test "direct timeline", %{conn: conn} do
      assert %{"visibility" => "direct"} = status
      # Both should be visible here
-      res_conn =
+      res_conn = get(conn_user_two, "api/v1/timelines/home")
        conn
        |> assign(:user, user_two)
        |> get("api/v1/timelines/home")
      [_s1, _s2] = json_response(res_conn, :ok)
@ -172,28 +159,23 @@ test "direct timeline", %{conn: conn} do
          })
      end)
-      res_conn =
+      res_conn = get(conn_user_two, "api/v1/timelines/direct")
        conn
        |> assign(:user, user_two)
        |> get("api/v1/timelines/direct")
      statuses = json_response(res_conn, :ok)
      assert length(statuses) == 20
      res_conn =
-        conn
+        get(conn_user_two, "api/v1/timelines/direct", %{max_id: List.last(statuses)["id"]})
        |> assign(:user, user_two)
        |> get("api/v1/timelines/direct", %{max_id: List.last(statuses)["id"]})
      [status] = json_response(res_conn, :ok)
      assert status["url"] != direct.data["id"]
    end
-    test "doesn't include DMs from blocked users", %{conn: conn} do
+    test "doesn't include DMs from blocked users" do
-      blocker = insert(:user)
+      %{user: blocker, conn: conn} = oauth_access(["read:statuses"])
      blocked = insert(:user)
-      user = insert(:user)
+      other_user = insert(:user)
      {:ok, _user_relationship} = User.block(blocker, blocked)
      {:ok, _blocked_direct} =
@ -203,15 +185,12 @@ test "doesn't include DMs from blocked users", %{conn: conn} do
        })
      {:ok, direct} =
-        CommonAPI.post(user, %{
+        CommonAPI.post(other_user, %{
          "status" => "Hi @#{blocker.nickname}!",
          "visibility" => "direct"
        })
-      res_conn =
+      res_conn = get(conn, "api/v1/timelines/direct")
        conn
        |> assign(:user, user)
        |> get("api/v1/timelines/direct")
      [status] = json_response(res_conn, :ok)
      assert status["id"] == direct.id
@ -219,26 +198,26 @@ test "doesn't include DMs from blocked users", %{conn: conn} do
  end
  describe "list" do
-    test "list timeline", %{conn: conn} do
+    setup do: oauth_access(["read:lists"])
-      user = insert(:user)
+
    test "list timeline", %{user: user, conn: conn} do
      other_user = insert(:user)
      {:ok, _activity_one} = CommonAPI.post(user, %{"status" => "Marisa is cute."})
      {:ok, activity_two} = CommonAPI.post(other_user, %{"status" => "Marisa is cute."})
      {:ok, list} = Pleroma.List.create("name", user)
      {:ok, list} = Pleroma.List.follow(list, other_user)
-      conn =
+      conn = get(conn, "/api/v1/timelines/list/#{list.id}")
        conn
        |> assign(:user, user)
        |> get("/api/v1/timelines/list/#{list.id}")
      assert [%{"id" => id}] = json_response(conn, :ok)
      assert id == to_string(activity_two.id)
    end
-    test "list timeline does not leak non-public statuses for unfollowed users", %{conn: conn} do
+    test "list timeline does not leak non-public statuses for unfollowed users", %{
-      user = insert(:user)
+      user: user,
      conn: conn
    } do
      other_user = insert(:user)
      {:ok, activity_one} = CommonAPI.post(other_user, %{"status" => "Marisa is cute."})
@ -251,10 +230,7 @@ test "list timeline does not leak non-public statuses for unfollowed users", %{c
      {:ok, list} = Pleroma.List.create("name", user)
      {:ok, list} = Pleroma.List.follow(list, other_user)
-      conn =
+      conn = get(conn, "/api/v1/timelines/list/#{list.id}")
        conn
        |> assign(:user, user)
        |> get("/api/v1/timelines/list/#{list.id}")
      assert [%{"id" => id}] = json_response(conn, :ok)
@ -263,6 +239,8 @@ test "list timeline does not leak non-public statuses for unfollowed users", %{c
  end
  describe "hashtag" do
    setup do: oauth_access(["n/a"])
    @tag capture_log: true
    test "hashtag timeline", %{conn: conn} do
      following = insert(:user)
--- a/test/web/mastodon_api/mastodon_api_controller_test.exs
+++ b/test/web/mastodon_api/mastodon_api_controller_test.exs
@ -5,69 +5,9 @@
 defmodule Pleroma.Web.MastodonAPI.MastodonAPIControllerTest do
  use Pleroma.Web.ConnCase
-  alias Pleroma.Notification
+  describe "empty_array/2 (stubs)" do
-  alias Pleroma.Repo
+    test "GET /api/v1/accounts/:id/identity_proofs" do
-  alias Pleroma.Web.CommonAPI
+      %{user: user, conn: conn} = oauth_access(["n/a"])
  import Pleroma.Factory
  import Tesla.Mock
  setup do
    mock(fn env -> apply(HttpRequestMock, :request, [env]) end)
    :ok
  end
  clear_config([:rich_media, :enabled])
  test "unimplemented follow_requests, blocks, domain blocks" do
    user = insert(:user)
    ["blocks", "domain_blocks", "follow_requests"]
    |> Enum.each(fn endpoint ->
      conn =
        build_conn()
        |> assign(:user, user)
        |> get("/api/v1/#{endpoint}")
      assert [] = json_response(conn, 200)
    end)
  end
  describe "link headers" do
    test "preserves parameters in link headers", %{conn: conn} do
      user = insert(:user)
      other_user = insert(:user)
      {:ok, activity1} =
        CommonAPI.post(other_user, %{
          "status" => "hi @#{user.nickname}",
          "visibility" => "public"
        })
      {:ok, activity2} =
        CommonAPI.post(other_user, %{
          "status" => "hi @#{user.nickname}",
          "visibility" => "public"
        })
      notification1 = Repo.get_by(Notification, activity_id: activity1.id)
      notification2 = Repo.get_by(Notification, activity_id: activity2.id)
      conn =
        conn
        |> assign(:user, user)
        |> get("/api/v1/notifications", %{media_only: true})
      assert [link_header] = get_resp_header(conn, "link")
      assert link_header =~ ~r/media_only=true/
      assert link_header =~ ~r/min_id=#{notification2.id}/
      assert link_header =~ ~r/max_id=#{notification1.id}/
    end
  end
  describe "empty_array, stubs for mastodon api" do
    test "GET /api/v1/accounts/:id/identity_proofs", %{conn: conn} do
      user = insert(:user)
      res =
        conn
@ -78,12 +18,11 @@ test "GET /api/v1/accounts/:id/identity_proofs", %{conn: conn} do
      assert res == []
    end
-    test "GET /api/v1/endorsements", %{conn: conn} do
+    test "GET /api/v1/endorsements" do
-      user = insert(:user)
+      %{conn: conn} = oauth_access(["read:accounts"])
      res =
        conn
        |> assign(:user, user)
        |> get("/api/v1/endorsements")
        |> json_response(200)
@ -91,11 +30,8 @@ test "GET /api/v1/endorsements", %{conn: conn} do
    end
    test "GET /api/v1/trends", %{conn: conn} do
      user = insert(:user)
      res =
        conn
        |> assign(:user, user)
        |> get("/api/v1/trends")
        |> json_response(200)
--- a/test/web/pleroma_api/controllers/account_controller_test.exs
+++ b/test/web/pleroma_api/controllers/account_controller_test.exs
@ -33,7 +33,6 @@ defmodule Pleroma.Web.PleromaAPI.AccountControllerTest do
    test "resend account confirmation email", %{conn: conn, user: user} do
      conn
      |> assign(:user, user)
      |> post("/api/v1/pleroma/accounts/confirmation_resend?email=#{user.email}")
      |> json_response(:no_content)
@ -52,14 +51,12 @@ test "resend account confirmation email", %{conn: conn, user: user} do
  end
  describe "PATCH /api/v1/pleroma/accounts/update_avatar" do
-    test "user avatar can be set", %{conn: conn} do
+    setup do: oauth_access(["write:accounts"])
-      user = insert(:user)
+
    test "user avatar can be set", %{user: user, conn: conn} do
      avatar_image = File.read!("test/fixtures/avatar_data_uri")
-      conn =
+      conn = patch(conn, "/api/v1/pleroma/accounts/update_avatar", %{img: avatar_image})
        conn
        |> assign(:user, user)
        |> patch("/api/v1/pleroma/accounts/update_avatar", %{img: avatar_image})
      user = refresh_record(user)
@ -78,13 +75,8 @@ test "user avatar can be set", %{conn: conn} do
      assert %{"url" => _} = json_response(conn, 200)
    end
-    test "user avatar can be reset", %{conn: conn} do
+    test "user avatar can be reset", %{user: user, conn: conn} do
-      user = insert(:user)
+      conn = patch(conn, "/api/v1/pleroma/accounts/update_avatar", %{img: ""})
      conn =
        conn
        |> assign(:user, user)
        |> patch("/api/v1/pleroma/accounts/update_avatar", %{img: ""})
      user = User.get_cached_by_id(user.id)
@ -95,13 +87,10 @@ test "user avatar can be reset", %{conn: conn} do
  end
  describe "PATCH /api/v1/pleroma/accounts/update_banner" do
-    test "can set profile banner", %{conn: conn} do
+    setup do: oauth_access(["write:accounts"])
      user = insert(:user)
-      conn =
+    test "can set profile banner", %{user: user, conn: conn} do
-        conn
+      conn = patch(conn, "/api/v1/pleroma/accounts/update_banner", %{"banner" => @image})
        |> assign(:user, user)
        |> patch("/api/v1/pleroma/accounts/update_banner", %{"banner" => @image})
      user = refresh_record(user)
      assert user.banner["type"] == "Image"
@ -109,13 +98,8 @@ test "can set profile banner", %{conn: conn} do
      assert %{"url" => _} = json_response(conn, 200)
    end
-    test "can reset profile banner", %{conn: conn} do
+    test "can reset profile banner", %{user: user, conn: conn} do
-      user = insert(:user)
+      conn = patch(conn, "/api/v1/pleroma/accounts/update_banner", %{"banner" => ""})
      conn =
        conn
        |> assign(:user, user)
        |> patch("/api/v1/pleroma/accounts/update_banner", %{"banner" => ""})
      user = refresh_record(user)
      assert user.banner == %{}
@ -125,26 +109,18 @@ test "can reset profile banner", %{conn: conn} do
  end
  describe "PATCH /api/v1/pleroma/accounts/update_background" do
-    test "background image can be set", %{conn: conn} do
+    setup do: oauth_access(["write:accounts"])
      user = insert(:user)
-      conn =
+    test "background image can be set", %{user: user, conn: conn} do
-        conn
+      conn = patch(conn, "/api/v1/pleroma/accounts/update_background", %{"img" => @image})
        |> assign(:user, user)
        |> patch("/api/v1/pleroma/accounts/update_background", %{"img" => @image})
      user = refresh_record(user)
      assert user.background["type"] == "Image"
      assert %{"url" => _} = json_response(conn, 200)
    end
-    test "background image can be reset", %{conn: conn} do
+    test "background image can be reset", %{user: user, conn: conn} do
-      user = insert(:user)
+      conn = patch(conn, "/api/v1/pleroma/accounts/update_background", %{"img" => ""})
      conn =
        conn
        |> assign(:user, user)
        |> patch("/api/v1/pleroma/accounts/update_background", %{"img" => ""})
      user = refresh_record(user)
      assert user.background == %{}
@ -155,12 +131,12 @@ test "background image can be reset", %{conn: conn} do
  describe "getting favorites timeline of specified user" do
    setup do
      [current_user, user] = insert_pair(:user, hide_favorites: false)
-      [current_user: current_user, user: user]
+      %{user: current_user, conn: conn} = oauth_access(["read:favourites"], user: current_user)
      [current_user: current_user, user: user, conn: conn]
    end
    test "returns list of statuses favorited by specified user", %{
      conn: conn,
      current_user: current_user,
      user: user
    } do
      [activity | _] = insert_pair(:note_activity)
@ -168,7 +144,6 @@ test "returns list of statuses favorited by specified user", %{
      response =
        conn
        |> assign(:user, current_user)
        |> get("/api/v1/pleroma/accounts/#{user.id}/favourites")
        |> json_response(:ok)
@ -178,23 +153,18 @@ test "returns list of statuses favorited by specified user", %{
      assert like["id"] == activity.id
    end
-    test "returns favorites for specified user_id when user is not logged in", %{
+    test "does not return favorites for specified user_id when user is not logged in", %{
      conn: conn,
      user: user
    } do
      activity = insert(:note_activity)
      CommonAPI.favorite(activity.id, user)
-      response =
+      build_conn()
-        conn
+      |> get("/api/v1/pleroma/accounts/#{user.id}/favourites")
-        |> get("/api/v1/pleroma/accounts/#{user.id}/favourites")
+      |> json_response(403)
        |> json_response(:ok)
      assert length(response) == 1
    end
    test "returns favorited DM only when user is logged in and he is one of recipients", %{
      conn: conn,
      current_user: current_user,
      user: user
    } do
@ -206,25 +176,24 @@ test "returns favorited DM only when user is logged in and he is one of recipien
      CommonAPI.favorite(direct.id, user)
-      response =
+      for u <- [user, current_user] do
-        conn
+        response =
-        |> assign(:user, current_user)
+          build_conn()
-        |> get("/api/v1/pleroma/accounts/#{user.id}/favourites")
+          |> assign(:user, u)
-        |> json_response(:ok)
+          |> assign(:token, insert(:oauth_token, user: u, scopes: ["read:favourites"]))
          |> get("/api/v1/pleroma/accounts/#{user.id}/favourites")
          |> json_response(:ok)
-      assert length(response) == 1
+        assert length(response) == 1
      end
-      anonymous_response =
+      build_conn()
-        conn
+      |> get("/api/v1/pleroma/accounts/#{user.id}/favourites")
-        |> get("/api/v1/pleroma/accounts/#{user.id}/favourites")
+      |> json_response(403)
        |> json_response(:ok)
      assert Enum.empty?(anonymous_response)
    end
    test "does not return others' favorited DM when user is not one of recipients", %{
      conn: conn,
      current_user: current_user,
      user: user
    } do
      user_two = insert(:user)
@ -239,7 +208,6 @@ test "does not return others' favorited DM when user is not one of recipients",
      response =
        conn
        |> assign(:user, current_user)
        |> get("/api/v1/pleroma/accounts/#{user.id}/favourites")
        |> json_response(:ok)
@ -248,7 +216,6 @@ test "does not return others' favorited DM when user is not one of recipients",
    test "paginates favorites using since_id and max_id", %{
      conn: conn,
      current_user: current_user,
      user: user
    } do
      activities = insert_list(10, :note_activity)
@ -262,7 +229,6 @@ test "paginates favorites using since_id and max_id", %{
      response =
        conn
        |> assign(:user, current_user)
        |> get("/api/v1/pleroma/accounts/#{user.id}/favourites", %{
          since_id: third_activity.id,
          max_id: seventh_activity.id
@ -276,7 +242,6 @@ test "paginates favorites using since_id and max_id", %{
    test "limits favorites using limit parameter", %{
      conn: conn,
      current_user: current_user,
      user: user
    } do
      7
@ -287,7 +252,6 @@ test "limits favorites using limit parameter", %{
      response =
        conn
        |> assign(:user, current_user)
        |> get("/api/v1/pleroma/accounts/#{user.id}/favourites", %{limit: "3"})
        |> json_response(:ok)
@ -296,12 +260,10 @@ test "limits favorites using limit parameter", %{
    test "returns empty response when user does not have any favorited statuses", %{
      conn: conn,
      current_user: current_user,
      user: user
    } do
      response =
        conn
        |> assign(:user, current_user)
        |> get("/api/v1/pleroma/accounts/#{user.id}/favourites")
        |> json_response(:ok)
@ -314,79 +276,61 @@ test "returns 404 error when specified user is not exist", %{conn: conn} do
      assert json_response(conn, 404) == %{"error" => "Record not found"}
    end
-    test "returns 403 error when user has hidden own favorites", %{
+    test "returns 403 error when user has hidden own favorites", %{conn: conn} do
      conn: conn,
      current_user: current_user
    } do
      user = insert(:user, hide_favorites: true)
      activity = insert(:note_activity)
      CommonAPI.favorite(activity.id, user)
-      conn =
+      conn = get(conn, "/api/v1/pleroma/accounts/#{user.id}/favourites")
        conn
        |> assign(:user, current_user)
        |> get("/api/v1/pleroma/accounts/#{user.id}/favourites")
      assert json_response(conn, 403) == %{"error" => "Can't get favorites"}
    end
-    test "hides favorites for new users by default", %{conn: conn, current_user: current_user} do
+    test "hides favorites for new users by default", %{conn: conn} do
      user = insert(:user)
      activity = insert(:note_activity)
      CommonAPI.favorite(activity.id, user)
      conn =
        conn
        |> assign(:user, current_user)
        |> get("/api/v1/pleroma/accounts/#{user.id}/favourites")
      assert user.hide_favorites
      conn = get(conn, "/api/v1/pleroma/accounts/#{user.id}/favourites")
      assert json_response(conn, 403) == %{"error" => "Can't get favorites"}
    end
  end
  describe "subscribing / unsubscribing" do
-    test "subscribing / unsubscribing to a user", %{conn: conn} do
+    test "subscribing / unsubscribing to a user" do
-      user = insert(:user)
+      %{user: user, conn: conn} = oauth_access(["follow"])
      subscription_target = insert(:user)
-      conn =
+      ret_conn =
        conn
        |> assign(:user, user)
        |> post("/api/v1/pleroma/accounts/#{subscription_target.id}/subscribe")
-      assert %{"id" => _id, "subscribing" => true} = json_response(conn, 200)
+      assert %{"id" => _id, "subscribing" => true} = json_response(ret_conn, 200)
-      conn =
+      conn = post(conn, "/api/v1/pleroma/accounts/#{subscription_target.id}/unsubscribe")
        build_conn()
        |> assign(:user, user)
        |> post("/api/v1/pleroma/accounts/#{subscription_target.id}/unsubscribe")
      assert %{"id" => _id, "subscribing" => false} = json_response(conn, 200)
    end
  end
  describe "subscribing" do
-    test "returns 404 when subscription_target not found", %{conn: conn} do
+    test "returns 404 when subscription_target not found" do
-      user = insert(:user)
+      %{conn: conn} = oauth_access(["write:follows"])
-      conn =
+      conn = post(conn, "/api/v1/pleroma/accounts/target_id/subscribe")
        conn
        |> assign(:user, user)
        |> post("/api/v1/pleroma/accounts/target_id/subscribe")
      assert %{"error" => "Record not found"} = json_response(conn, 404)
    end
  end
  describe "unsubscribing" do
-    test "returns 404 when subscription_target not found", %{conn: conn} do
+    test "returns 404 when subscription_target not found" do
-      user = insert(:user)
+      %{conn: conn} = oauth_access(["follow"])
-      conn =
+      conn = post(conn, "/api/v1/pleroma/accounts/target_id/unsubscribe")
        conn
        |> assign(:user, user)
        |> post("/api/v1/pleroma/accounts/target_id/unsubscribe")
      assert %{"error" => "Record not found"} = json_response(conn, 404)
    end
--- a/test/web/pleroma_api/controllers/emoji_api_controller_test.exs
+++ b/test/web/pleroma_api/controllers/emoji_api_controller_test.exs
@ -39,9 +39,12 @@ test "shared & non-shared pack information in list_packs is ok" do
  test "listing remote packs" do
    admin = insert(:user, is_admin: true)
-    conn = build_conn() |> assign(:user, admin)
+    %{conn: conn} = oauth_access(["admin:write"], user: admin)
-    resp = conn |> get(emoji_api_path(conn, :list_packs)) |> json_response(200)
+    resp =
      build_conn()
      |> get(emoji_api_path(conn, :list_packs))
      |> json_response(200)
    mock(fn
      %{method: :get, url: "https://example.com/.well-known/nodeinfo"} ->
@ -123,7 +126,10 @@ test "downloading shared & unshared packs from another instance via download_fro
    admin = insert(:user, is_admin: true)
-    conn = build_conn() |> assign(:user, admin)
+    conn =
      build_conn()
      |> assign(:user, admin)
      |> assign(:token, insert(:oauth_admin_token, user: admin, scopes: ["admin:write"]))
    assert (conn
            |> put_req_header("content-type", "application/json")
@ -168,8 +174,6 @@ test "downloading shared & unshared packs from another instance via download_fro
    # non-shared, downloaded from the fallback URL
    conn = build_conn() |> assign(:user, admin)
    assert conn
           |> put_req_header("content-type", "application/json")
           |> post(
@ -205,8 +209,12 @@ test "downloading shared & unshared packs from another instance via download_fro
        File.write!(pack_file, original_content)
      end)
      admin = insert(:user, is_admin: true)
      %{conn: conn} = oauth_access(["admin:write"], user: admin)
      {:ok,
-       admin: insert(:user, is_admin: true),
+       admin: admin,
       conn: conn,
       pack_file: pack_file,
       new_data: %{
         "license" => "Test license changed",
@ -217,10 +225,9 @@ test "downloading shared & unshared packs from another instance via download_fro
    end
    test "for a pack without a fallback source", ctx do
-      conn = build_conn()
+      conn = ctx[:conn]
      assert conn
             |> assign(:user, ctx[:admin])
             |> post(
               emoji_api_path(conn, :update_metadata, "test_pack"),
               %{
@ -250,10 +257,9 @@ test "for a pack with a fallback source", ctx do
          "74409E2674DAA06C072729C6C8426C4CB3B7E0B85ED77792DB7A436E11D76DAF"
        )
-      conn = build_conn()
+      conn = ctx[:conn]
      assert conn
             |> assign(:user, ctx[:admin])
             |> post(
               emoji_api_path(conn, :update_metadata, "test_pack"),
               %{
@ -277,10 +283,9 @@ test "when the fallback source doesn't have all the files", ctx do
      new_data = Map.put(ctx[:new_data], "fallback-src", "https://nonshared-pack")
-      conn = build_conn()
+      conn = ctx[:conn]
      assert (conn
              |> assign(:user, ctx[:admin])
              |> post(
                emoji_api_path(conn, :update_metadata, "test_pack"),
                %{
@ -304,8 +309,7 @@ test "updating pack files" do
    end)
    admin = insert(:user, is_admin: true)
-
+    %{conn: conn} = oauth_access(["admin:write"], user: admin)
    conn = build_conn()
    same_name = %{
      "action" => "add",
@ -319,8 +323,6 @@ test "updating pack files" do
    different_name = %{same_name | "shortcode" => "blank_2"}
    conn = conn |> assign(:user, admin)
    assert (conn
            |> post(emoji_api_path(conn, :update_file, "test_pack"), same_name)
            |> json_response(:conflict))["error"] =~ "already exists"
@ -392,8 +394,7 @@ test "creating and deleting a pack" do
    end)
    admin = insert(:user, is_admin: true)
-
+    %{conn: conn} = oauth_access(["admin:write"], user: admin)
    conn = build_conn() |> assign(:user, admin)
    assert conn
           |> put_req_header("content-type", "application/json")
@ -432,9 +433,9 @@ test "filesystem import" do
    refute Map.has_key?(resp, "test_pack_for_import")
    admin = insert(:user, is_admin: true)
    %{conn: conn} = oauth_access(["admin:write"], user: admin)
    assert conn
           |> assign(:user, admin)
           |> post(emoji_api_path(conn, :import_from_fs))
           |> json_response(200) == ["test_pack_for_import"]
@ -449,11 +450,10 @@ test "filesystem import" do
    File.write!("#{@emoji_dir_path}/test_pack_for_import/emoji.txt", emoji_txt_content)
    assert conn
           |> assign(:user, admin)
           |> post(emoji_api_path(conn, :import_from_fs))
           |> json_response(200) == ["test_pack_for_import"]
-    resp = conn |> get(emoji_api_path(conn, :list_packs)) |> json_response(200)
+    resp = build_conn() |> get(emoji_api_path(conn, :list_packs)) |> json_response(200)
    assert resp["test_pack_for_import"]["files"] == %{
             "blank" => "blank.png",
--- a/test/web/pleroma_api/controllers/mascot_controller_test.exs
+++ b/test/web/pleroma_api/controllers/mascot_controller_test.exs
@ -7,10 +7,8 @@ defmodule Pleroma.Web.PleromaAPI.MascotControllerTest do
  alias Pleroma.User
-  import Pleroma.Factory
+  test "mascot upload" do
-
+    %{conn: conn} = oauth_access(["write:accounts"])
  test "mascot upload", %{conn: conn} do
    user = insert(:user)
    non_image_file = %Plug.Upload{
      content_type: "audio/mpeg",
@ -18,12 +16,9 @@ test "mascot upload", %{conn: conn} do
      filename: "sound.mp3"
    }
-    conn =
+    ret_conn = put(conn, "/api/v1/pleroma/mascot", %{"file" => non_image_file})
      conn
      |> assign(:user, user)
      |> put("/api/v1/pleroma/mascot", %{"file" => non_image_file})
-    assert json_response(conn, 415)
+    assert json_response(ret_conn, 415)
    file = %Plug.Upload{
      content_type: "image/jpg",
@ -31,23 +26,18 @@ test "mascot upload", %{conn: conn} do
      filename: "an_image.jpg"
    }
-    conn =
+    conn = put(conn, "/api/v1/pleroma/mascot", %{"file" => file})
      build_conn()
      |> assign(:user, user)
      |> put("/api/v1/pleroma/mascot", %{"file" => file})
    assert %{"id" => _, "type" => image} = json_response(conn, 200)
  end
-  test "mascot retrieving", %{conn: conn} do
+  test "mascot retrieving" do
-    user = insert(:user)
+    %{user: user, conn: conn} = oauth_access(["read:accounts", "write:accounts"])
    # When user hasn't set a mascot, we should just get pleroma tan back
    conn =
      conn
      |> assign(:user, user)
      |> get("/api/v1/pleroma/mascot")
-    assert %{"url" => url} = json_response(conn, 200)
+    # When user hasn't set a mascot, we should just get pleroma tan back
    ret_conn = get(conn, "/api/v1/pleroma/mascot")
    assert %{"url" => url} = json_response(ret_conn, 200)
    assert url =~ "pleroma-fox-tan-smol"
    # When a user sets their mascot, we should get that back
@ -57,17 +47,14 @@ test "mascot retrieving", %{conn: conn} do
      filename: "an_image.jpg"
    }
-    conn =
+    ret_conn = put(conn, "/api/v1/pleroma/mascot", %{"file" => file})
      build_conn()
      |> assign(:user, user)
      |> put("/api/v1/pleroma/mascot", %{"file" => file})
-    assert json_response(conn, 200)
+    assert json_response(ret_conn, 200)
    user = User.get_cached_by_id(user.id)
    conn =
-      build_conn()
+      conn
      |> assign(:user, user)
      |> get("/api/v1/pleroma/mascot")
--- a/test/web/pleroma_api/controllers/scrobble_controller_test.exs
+++ b/test/web/pleroma_api/controllers/scrobble_controller_test.exs
@ -6,16 +6,13 @@ defmodule Pleroma.Web.PleromaAPI.ScrobbleControllerTest do
  use Pleroma.Web.ConnCase
  alias Pleroma.Web.CommonAPI
  import Pleroma.Factory
  describe "POST /api/v1/pleroma/scrobble" do
-    test "works correctly", %{conn: conn} do
+    test "works correctly" do
-      user = insert(:user)
+      %{conn: conn} = oauth_access(["write"])
      conn =
-        conn
+        post(conn, "/api/v1/pleroma/scrobble", %{
        |> assign(:user, user)
        |> post("/api/v1/pleroma/scrobble", %{
          "title" => "lain radio episode 1",
          "artist" => "lain",
          "album" => "lain radio",
@ -27,8 +24,8 @@ test "works correctly", %{conn: conn} do
  end
  describe "GET /api/v1/pleroma/accounts/:id/scrobbles" do
-    test "works correctly", %{conn: conn} do
+    test "works correctly" do
-      user = insert(:user)
+      %{user: user, conn: conn} = oauth_access(["read"])
      {:ok, _activity} =
        CommonAPI.listen(user, %{
@ -51,9 +48,7 @@ test "works correctly", %{conn: conn} do
          "album" => "lain radio"
        })
-      conn =
+      conn = get(conn, "/api/v1/pleroma/accounts/#{user.id}/scrobbles")
        conn
        |> get("/api/v1/pleroma/accounts/#{user.id}/scrobbles")
      result = json_response(conn, 200)