diff --git a/lib/pleroma/web/masto_fe_controller.ex b/lib/pleroma/web/masto_fe_controller.ex
index ca261ad6e..9f7e4943c 100644
--- a/lib/pleroma/web/masto_fe_controller.ex
+++ b/lib/pleroma/web/masto_fe_controller.ex
@@ -20,18 +20,21 @@ defmodule Pleroma.Web.MastoFEController do
   plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug when action != :index)
 
   @doc "GET /web/*path"
-  def index(%{assigns: %{user: user}} = conn, _params) do
-    token = get_session(conn, :oauth_token)
+  def index(%{assigns: %{user: user, token: token}} = conn, _params)
+      when not is_nil(user) and not is_nil(token) do
+    conn
+    |> put_layout(false)
+    |> render("index.html",
+      token: token.token,
+      user: user,
+      custom_emojis: Pleroma.Emoji.get_all()
+    )
+  end
 
-    if user && token do
-      conn
-      |> put_layout(false)
-      |> render("index.html", token: token, user: user, custom_emojis: Pleroma.Emoji.get_all())
-    else
-      conn
-      |> put_session(:return_to, conn.request_path)
-      |> redirect(to: "/web/login")
-    end
+  def index(conn, _params) do
+    conn
+    |> put_session(:return_to, conn.request_path)
+    |> redirect(to: "/web/login")
   end
 
   @doc "GET /web/manifest.json"
diff --git a/test/support/conn_case.ex b/test/support/conn_case.ex
index 95bc2492a..22e72fc09 100644
--- a/test/support/conn_case.ex
+++ b/test/support/conn_case.ex
@@ -30,14 +30,14 @@ defmodule Pleroma.Web.ConnCase do
       @endpoint Pleroma.Web.Endpoint
 
       # Sets up OAuth access with specified scopes
-      defp oauth_access(scopes, opts \\ %{}) do
+      defp oauth_access(scopes, opts \\ []) do
         user =
-          Map.get_lazy(opts, :user, fn ->
+          Keyword.get_lazy(opts, :user, fn ->
             Pleroma.Factory.insert(:user)
           end)
 
         token =
-          Map.get_lazy(opts, :oauth_token, fn ->
+          Keyword.get_lazy(opts, :oauth_token, fn ->
             Pleroma.Factory.insert(:oauth_token, user: user, scopes: scopes)
           end)
 
diff --git a/test/web/masto_fe_controller_test.exs b/test/web/masto_fe_controller_test.exs
index b5dbd4a25..f9870a852 100644
--- a/test/web/masto_fe_controller_test.exs
+++ b/test/web/masto_fe_controller_test.exs
@@ -18,6 +18,7 @@ test "put settings", %{conn: conn} do
     conn =
       conn
       |> assign(:user, user)
+      |> assign(:token, insert(:oauth_token, user: user, scopes: ["write:accounts"]))
       |> put("/api/web/settings", %{"data" => %{"programming" => "socks"}})
 
     assert _result = json_response(conn, 200)
@@ -63,12 +64,12 @@ test "redirects not logged-in users to the login page on private instances", %{
     end
 
     test "does not redirect logged in users to the login page", %{conn: conn, path: path} do
-      token = insert(:oauth_token)
+      token = insert(:oauth_token, scopes: ["read"])
 
       conn =
         conn
         |> assign(:user, token.user)
-        |> put_session(:oauth_token, token.token)
+        |> assign(:token, token)
         |> get(path)
 
       assert conn.status == 200
diff --git a/test/web/mastodon_api/controllers/account_controller/update_credentials_test.exs b/test/web/mastodon_api/controllers/account_controller/update_credentials_test.exs
index 77cfce4fa..09bdc46e0 100644
--- a/test/web/mastodon_api/controllers/account_controller/update_credentials_test.exs
+++ b/test/web/mastodon_api/controllers/account_controller/update_credentials_test.exs
@@ -12,13 +12,11 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController.UpdateCredentialsTest do
   clear_config([:instance, :max_account_fields])
 
   describe "updating credentials" do
-    test "sets user settings in a generic way", %{conn: conn} do
-      user = insert(:user)
+    setup do: oauth_access(["write:accounts"])
 
+    test "sets user settings in a generic way", %{conn: conn} do
       res_conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/accounts/update_credentials", %{
+        patch(conn, "/api/v1/accounts/update_credentials", %{
           "pleroma_settings_store" => %{
             pleroma_fe: %{
               theme: "bla"
@@ -26,10 +24,10 @@ test "sets user settings in a generic way", %{conn: conn} do
           }
         })
 
-      assert user = json_response(res_conn, 200)
-      assert user["pleroma"]["settings_store"] == %{"pleroma_fe" => %{"theme" => "bla"}}
+      assert user_data = json_response(res_conn, 200)
+      assert user_data["pleroma"]["settings_store"] == %{"pleroma_fe" => %{"theme" => "bla"}}
 
-      user = Repo.get(User, user["id"])
+      user = Repo.get(User, user_data["id"])
 
       res_conn =
         conn
@@ -42,15 +40,15 @@ test "sets user settings in a generic way", %{conn: conn} do
           }
         })
 
-      assert user = json_response(res_conn, 200)
+      assert user_data = json_response(res_conn, 200)
 
-      assert user["pleroma"]["settings_store"] ==
+      assert user_data["pleroma"]["settings_store"] ==
                %{
                  "pleroma_fe" => %{"theme" => "bla"},
                  "masto_fe" => %{"theme" => "bla"}
                }
 
-      user = Repo.get(User, user["id"])
+      user = Repo.get(User, user_data["id"])
 
       res_conn =
         conn
@@ -63,9 +61,9 @@ test "sets user settings in a generic way", %{conn: conn} do
           }
         })
 
-      assert user = json_response(res_conn, 200)
+      assert user_data = json_response(res_conn, 200)
 
-      assert user["pleroma"]["settings_store"] ==
+      assert user_data["pleroma"]["settings_store"] ==
                %{
                  "pleroma_fe" => %{"theme" => "bla"},
                  "masto_fe" => %{"theme" => "blub"}
@@ -73,97 +71,67 @@ test "sets user settings in a generic way", %{conn: conn} do
     end
 
     test "updates the user's bio", %{conn: conn} do
-      user = insert(:user)
       user2 = insert(:user)
 
       conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/accounts/update_credentials", %{
+        patch(conn, "/api/v1/accounts/update_credentials", %{
           "note" => "I drink #cofe with @#{user2.nickname}"
         })
 
-      assert user = json_response(conn, 200)
+      assert user_data = json_response(conn, 200)
 
-      assert user["note"] ==
+      assert user_data["note"] ==
                ~s(I drink <a class="hashtag" data-tag="cofe" href="http://localhost:4001/tag/cofe">#cofe</a> with <span class="h-card"><a data-user="#{
                  user2.id
                }" class="u-url mention" href="#{user2.ap_id}" rel="ugc">@<span>#{user2.nickname}</span></a></span>)
     end
 
     test "updates the user's locking status", %{conn: conn} do
-      user = insert(:user)
+      conn = patch(conn, "/api/v1/accounts/update_credentials", %{locked: "true"})
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/accounts/update_credentials", %{locked: "true"})
-
-      assert user = json_response(conn, 200)
-      assert user["locked"] == true
+      assert user_data = json_response(conn, 200)
+      assert user_data["locked"] == true
     end
 
-    test "updates the user's allow_following_move", %{conn: conn} do
-      user = insert(:user)
-
+    test "updates the user's allow_following_move", %{user: user, conn: conn} do
       assert user.allow_following_move == true
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/accounts/update_credentials", %{allow_following_move: "false"})
+      conn = patch(conn, "/api/v1/accounts/update_credentials", %{allow_following_move: "false"})
 
       assert refresh_record(user).allow_following_move == false
-      assert user = json_response(conn, 200)
-      assert user["pleroma"]["allow_following_move"] == false
+      assert user_data = json_response(conn, 200)
+      assert user_data["pleroma"]["allow_following_move"] == false
     end
 
     test "updates the user's default scope", %{conn: conn} do
-      user = insert(:user)
+      conn = patch(conn, "/api/v1/accounts/update_credentials", %{default_scope: "cofe"})
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/accounts/update_credentials", %{default_scope: "cofe"})
-
-      assert user = json_response(conn, 200)
-      assert user["source"]["privacy"] == "cofe"
+      assert user_data = json_response(conn, 200)
+      assert user_data["source"]["privacy"] == "cofe"
     end
 
     test "updates the user's hide_followers status", %{conn: conn} do
-      user = insert(:user)
+      conn = patch(conn, "/api/v1/accounts/update_credentials", %{hide_followers: "true"})
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/accounts/update_credentials", %{hide_followers: "true"})
-
-      assert user = json_response(conn, 200)
-      assert user["pleroma"]["hide_followers"] == true
+      assert user_data = json_response(conn, 200)
+      assert user_data["pleroma"]["hide_followers"] == true
     end
 
     test "updates the user's hide_followers_count and hide_follows_count", %{conn: conn} do
-      user = insert(:user)
-
       conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/accounts/update_credentials", %{
+        patch(conn, "/api/v1/accounts/update_credentials", %{
           hide_followers_count: "true",
           hide_follows_count: "true"
         })
 
-      assert user = json_response(conn, 200)
-      assert user["pleroma"]["hide_followers_count"] == true
-      assert user["pleroma"]["hide_follows_count"] == true
+      assert user_data = json_response(conn, 200)
+      assert user_data["pleroma"]["hide_followers_count"] == true
+      assert user_data["pleroma"]["hide_follows_count"] == true
     end
 
-    test "updates the user's skip_thread_containment option", %{conn: conn} do
-      user = insert(:user)
-
+    test "updates the user's skip_thread_containment option", %{user: user, conn: conn} do
       response =
         conn
-        |> assign(:user, user)
         |> patch("/api/v1/accounts/update_credentials", %{skip_thread_containment: "true"})
         |> json_response(200)
 
@@ -172,104 +140,68 @@ test "updates the user's skip_thread_containment option", %{conn: conn} do
     end
 
     test "updates the user's hide_follows status", %{conn: conn} do
-      user = insert(:user)
+      conn = patch(conn, "/api/v1/accounts/update_credentials", %{hide_follows: "true"})
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/accounts/update_credentials", %{hide_follows: "true"})
-
-      assert user = json_response(conn, 200)
-      assert user["pleroma"]["hide_follows"] == true
+      assert user_data = json_response(conn, 200)
+      assert user_data["pleroma"]["hide_follows"] == true
     end
 
     test "updates the user's hide_favorites status", %{conn: conn} do
-      user = insert(:user)
+      conn = patch(conn, "/api/v1/accounts/update_credentials", %{hide_favorites: "true"})
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/accounts/update_credentials", %{hide_favorites: "true"})
-
-      assert user = json_response(conn, 200)
-      assert user["pleroma"]["hide_favorites"] == true
+      assert user_data = json_response(conn, 200)
+      assert user_data["pleroma"]["hide_favorites"] == true
     end
 
     test "updates the user's show_role status", %{conn: conn} do
-      user = insert(:user)
+      conn = patch(conn, "/api/v1/accounts/update_credentials", %{show_role: "false"})
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/accounts/update_credentials", %{show_role: "false"})
-
-      assert user = json_response(conn, 200)
-      assert user["source"]["pleroma"]["show_role"] == false
+      assert user_data = json_response(conn, 200)
+      assert user_data["source"]["pleroma"]["show_role"] == false
     end
 
     test "updates the user's no_rich_text status", %{conn: conn} do
-      user = insert(:user)
+      conn = patch(conn, "/api/v1/accounts/update_credentials", %{no_rich_text: "true"})
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/accounts/update_credentials", %{no_rich_text: "true"})
-
-      assert user = json_response(conn, 200)
-      assert user["source"]["pleroma"]["no_rich_text"] == true
+      assert user_data = json_response(conn, 200)
+      assert user_data["source"]["pleroma"]["no_rich_text"] == true
     end
 
     test "updates the user's name", %{conn: conn} do
-      user = insert(:user)
-
       conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/accounts/update_credentials", %{"display_name" => "markorepairs"})
+        patch(conn, "/api/v1/accounts/update_credentials", %{"display_name" => "markorepairs"})
 
-      assert user = json_response(conn, 200)
-      assert user["display_name"] == "markorepairs"
+      assert user_data = json_response(conn, 200)
+      assert user_data["display_name"] == "markorepairs"
     end
 
-    test "updates the user's avatar", %{conn: conn} do
-      user = insert(:user)
-
+    test "updates the user's avatar", %{user: user, conn: conn} do
       new_avatar = %Plug.Upload{
         content_type: "image/jpg",
         path: Path.absname("test/fixtures/image.jpg"),
         filename: "an_image.jpg"
       }
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/accounts/update_credentials", %{"avatar" => new_avatar})
+      conn = patch(conn, "/api/v1/accounts/update_credentials", %{"avatar" => new_avatar})
 
       assert user_response = json_response(conn, 200)
       assert user_response["avatar"] != User.avatar_url(user)
     end
 
-    test "updates the user's banner", %{conn: conn} do
-      user = insert(:user)
-
+    test "updates the user's banner", %{user: user, conn: conn} do
       new_header = %Plug.Upload{
         content_type: "image/jpg",
         path: Path.absname("test/fixtures/image.jpg"),
         filename: "an_image.jpg"
       }
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/accounts/update_credentials", %{"header" => new_header})
+      conn = patch(conn, "/api/v1/accounts/update_credentials", %{"header" => new_header})
 
       assert user_response = json_response(conn, 200)
       assert user_response["header"] != User.banner_url(user)
     end
 
     test "updates the user's background", %{conn: conn} do
-      user = insert(:user)
-
       new_header = %Plug.Upload{
         content_type: "image/jpg",
         path: Path.absname("test/fixtures/image.jpg"),
@@ -277,9 +209,7 @@ test "updates the user's background", %{conn: conn} do
       }
 
       conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/accounts/update_credentials", %{
+        patch(conn, "/api/v1/accounts/update_credentials", %{
           "pleroma_background_image" => new_header
         })
 
@@ -287,13 +217,13 @@ test "updates the user's background", %{conn: conn} do
       assert user_response["pleroma"]["background_image"]
     end
 
-    test "requires 'write:accounts' permission", %{conn: conn} do
+    test "requires 'write:accounts' permission" do
       token1 = insert(:oauth_token, scopes: ["read"])
       token2 = insert(:oauth_token, scopes: ["write", "follow"])
 
       for token <- [token1, token2] do
         conn =
-          conn
+          build_conn()
           |> put_req_header("authorization", "Bearer #{token.token}")
           |> patch("/api/v1/accounts/update_credentials", %{})
 
@@ -306,53 +236,44 @@ test "requires 'write:accounts' permission", %{conn: conn} do
       end
     end
 
-    test "updates profile emojos", %{conn: conn} do
-      user = insert(:user)
-
+    test "updates profile emojos", %{user: user, conn: conn} do
       note = "*sips :blank:*"
       name = "I am :firefox:"
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/accounts/update_credentials", %{
+      ret_conn =
+        patch(conn, "/api/v1/accounts/update_credentials", %{
           "note" => note,
           "display_name" => name
         })
 
-      assert json_response(conn, 200)
+      assert json_response(ret_conn, 200)
 
-      conn =
-        conn
-        |> get("/api/v1/accounts/#{user.id}")
+      conn = get(conn, "/api/v1/accounts/#{user.id}")
 
-      assert user = json_response(conn, 200)
+      assert user_data = json_response(conn, 200)
 
-      assert user["note"] == note
-      assert user["display_name"] == name
-      assert [%{"shortcode" => "blank"}, %{"shortcode" => "firefox"}] = user["emojis"]
+      assert user_data["note"] == note
+      assert user_data["display_name"] == name
+      assert [%{"shortcode" => "blank"}, %{"shortcode" => "firefox"}] = user_data["emojis"]
     end
 
     test "update fields", %{conn: conn} do
-      user = insert(:user)
-
       fields = [
         %{"name" => "<a href=\"http://google.com\">foo</a>", "value" => "<script>bar</script>"},
         %{"name" => "link", "value" => "cofe.io"}
       ]
 
-      account =
+      account_data =
         conn
-        |> assign(:user, user)
         |> patch("/api/v1/accounts/update_credentials", %{"fields_attributes" => fields})
         |> json_response(200)
 
-      assert account["fields"] == [
+      assert account_data["fields"] == [
                %{"name" => "foo", "value" => "bar"},
                %{"name" => "link", "value" => ~S(<a href="http://cofe.io" rel="ugc">cofe.io</a>)}
              ]
 
-      assert account["source"]["fields"] == [
+      assert account_data["source"]["fields"] == [
                %{
                  "name" => "<a href=\"http://google.com\">foo</a>",
                  "value" => "<script>bar</script>"
@@ -372,7 +293,6 @@ test "update fields", %{conn: conn} do
       account =
         conn
         |> put_req_header("content-type", "application/x-www-form-urlencoded")
-        |> assign(:user, user)
         |> patch("/api/v1/accounts/update_credentials", fields)
         |> json_response(200)
 
@@ -398,7 +318,6 @@ test "update fields", %{conn: conn} do
 
       assert %{"error" => "Invalid request"} ==
                conn
-               |> assign(:user, user)
                |> patch("/api/v1/accounts/update_credentials", %{"fields_attributes" => fields})
                |> json_response(403)
 
@@ -408,7 +327,6 @@ test "update fields", %{conn: conn} do
 
       assert %{"error" => "Invalid request"} ==
                conn
-               |> assign(:user, user)
                |> patch("/api/v1/accounts/update_credentials", %{"fields_attributes" => fields})
                |> json_response(403)
 
@@ -421,7 +339,6 @@ test "update fields", %{conn: conn} do
 
       assert %{"error" => "Invalid request"} ==
                conn
-               |> assign(:user, user)
                |> patch("/api/v1/accounts/update_credentials", %{"fields_attributes" => fields})
                |> json_response(403)
 
@@ -432,7 +349,6 @@ test "update fields", %{conn: conn} do
 
       account =
         conn
-        |> assign(:user, user)
         |> patch("/api/v1/accounts/update_credentials", %{"fields_attributes" => fields})
         |> json_response(200)
 
diff --git a/test/web/mastodon_api/controllers/account_controller_test.exs b/test/web/mastodon_api/controllers/account_controller_test.exs
index fa08ae4df..0d4860a42 100644
--- a/test/web/mastodon_api/controllers/account_controller_test.exs
+++ b/test/web/mastodon_api/controllers/account_controller_test.exs
@@ -87,6 +87,7 @@ test "respects limit_to_local_content == :unauthenticated for remote user nickna
       conn =
         build_conn()
         |> assign(:user, reading_user)
+        |> assign(:token, insert(:oauth_token, user: reading_user, scopes: ["read:accounts"]))
         |> get("/api/v1/accounts/#{user.nickname}")
 
       Pleroma.Config.put([:instance, :limit_to_local_content], limit_to_local)
@@ -144,8 +145,9 @@ test "returns 404 for internal.fetch actor", %{conn: conn} do
   end
 
   describe "user timelines" do
-    test "respects blocks", %{conn: conn} do
-      user_one = insert(:user)
+    setup do: oauth_access(["read:statuses"])
+
+    test "respects blocks", %{user: user_one, conn: conn} do
       user_two = insert(:user)
       user_three = insert(:user)
 
@@ -154,46 +156,35 @@ test "respects blocks", %{conn: conn} do
       {:ok, activity} = CommonAPI.post(user_two, %{"status" => "User one sux0rz"})
       {:ok, repeat, _} = CommonAPI.repeat(activity.id, user_three)
 
-      resp =
-        conn
-        |> get("/api/v1/accounts/#{user_two.id}/statuses")
+      resp = get(conn, "/api/v1/accounts/#{user_two.id}/statuses")
 
       assert [%{"id" => id}] = json_response(resp, 200)
       assert id == activity.id
 
       # Even a blocked user will deliver the full user timeline, there would be
-      # no point in looking at a blocked users timeline otherwise
-      resp =
-        conn
-        |> assign(:user, user_one)
-        |> get("/api/v1/accounts/#{user_two.id}/statuses")
+      #   no point in looking at a blocked users timeline otherwise
+      resp = get(conn, "/api/v1/accounts/#{user_two.id}/statuses")
 
       assert [%{"id" => id}] = json_response(resp, 200)
       assert id == activity.id
 
-      resp =
-        conn
-        |> get("/api/v1/accounts/#{user_three.id}/statuses")
-
+      # Third user's timeline includes the repeat when viewed by unauthenticated user
+      resp = get(build_conn(), "/api/v1/accounts/#{user_three.id}/statuses")
       assert [%{"id" => id}] = json_response(resp, 200)
       assert id == repeat.id
 
-      # When viewing a third user's timeline, the blocked users will NOT be
-      # shown.
-      resp =
-        conn
-        |> assign(:user, user_one)
-        |> get("/api/v1/accounts/#{user_three.id}/statuses")
+      # When viewing a third user's timeline, the blocked users' statuses will NOT be shown
+      resp = get(conn, "/api/v1/accounts/#{user_three.id}/statuses")
 
       assert [] = json_response(resp, 200)
     end
 
-    test "gets a users statuses", %{conn: conn} do
+    test "gets users statuses", %{conn: conn} do
       user_one = insert(:user)
       user_two = insert(:user)
       user_three = insert(:user)
 
-      {:ok, user_three} = User.follow(user_three, user_one)
+      {:ok, _user_three} = User.follow(user_three, user_one)
 
       {:ok, activity} = CommonAPI.post(user_one, %{"status" => "HI!!!"})
 
@@ -206,9 +197,7 @@ test "gets a users statuses", %{conn: conn} do
       {:ok, private_activity} =
         CommonAPI.post(user_one, %{"status" => "private", "visibility" => "private"})
 
-      resp =
-        conn
-        |> get("/api/v1/accounts/#{user_one.id}/statuses")
+      resp = get(conn, "/api/v1/accounts/#{user_one.id}/statuses")
 
       assert [%{"id" => id}] = json_response(resp, 200)
       assert id == to_string(activity.id)
@@ -216,6 +205,7 @@ test "gets a users statuses", %{conn: conn} do
       resp =
         conn
         |> assign(:user, user_two)
+        |> assign(:token, insert(:oauth_token, user: user_two, scopes: ["read:statuses"]))
         |> get("/api/v1/accounts/#{user_one.id}/statuses")
 
       assert [%{"id" => id_one}, %{"id" => id_two}] = json_response(resp, 200)
@@ -225,6 +215,7 @@ test "gets a users statuses", %{conn: conn} do
       resp =
         conn
         |> assign(:user, user_three)
+        |> assign(:token, insert(:oauth_token, user: user_three, scopes: ["read:statuses"]))
         |> get("/api/v1/accounts/#{user_one.id}/statuses")
 
       assert [%{"id" => id_one}, %{"id" => id_two}] = json_response(resp, 200)
@@ -236,9 +227,7 @@ test "unimplemented pinned statuses feature", %{conn: conn} do
       note = insert(:note_activity)
       user = User.get_cached_by_ap_id(note.data["actor"])
 
-      conn =
-        conn
-        |> get("/api/v1/accounts/#{user.id}/statuses?pinned=true")
+      conn = get(conn, "/api/v1/accounts/#{user.id}/statuses?pinned=true")
 
       assert json_response(conn, 200) == []
     end
@@ -257,63 +246,51 @@ test "gets an users media", %{conn: conn} do
 
       {:ok, image_post} = CommonAPI.post(user, %{"status" => "cofe", "media_ids" => [media_id]})
 
-      conn =
-        conn
-        |> get("/api/v1/accounts/#{user.id}/statuses", %{"only_media" => "true"})
+      conn = get(conn, "/api/v1/accounts/#{user.id}/statuses", %{"only_media" => "true"})
 
       assert [%{"id" => id}] = json_response(conn, 200)
       assert id == to_string(image_post.id)
 
-      conn =
-        build_conn()
-        |> get("/api/v1/accounts/#{user.id}/statuses", %{"only_media" => "1"})
+      conn = get(build_conn(), "/api/v1/accounts/#{user.id}/statuses", %{"only_media" => "1"})
 
       assert [%{"id" => id}] = json_response(conn, 200)
       assert id == to_string(image_post.id)
     end
 
-    test "gets a user's statuses without reblogs", %{conn: conn} do
-      user = insert(:user)
+    test "gets a user's statuses without reblogs", %{user: user, conn: conn} do
       {:ok, post} = CommonAPI.post(user, %{"status" => "HI!!!"})
       {:ok, _, _} = CommonAPI.repeat(post.id, user)
 
-      conn =
-        conn
-        |> get("/api/v1/accounts/#{user.id}/statuses", %{"exclude_reblogs" => "true"})
+      conn = get(conn, "/api/v1/accounts/#{user.id}/statuses", %{"exclude_reblogs" => "true"})
 
       assert [%{"id" => id}] = json_response(conn, 200)
       assert id == to_string(post.id)
 
-      conn =
-        conn
-        |> get("/api/v1/accounts/#{user.id}/statuses", %{"exclude_reblogs" => "1"})
+      conn = get(conn, "/api/v1/accounts/#{user.id}/statuses", %{"exclude_reblogs" => "1"})
 
       assert [%{"id" => id}] = json_response(conn, 200)
       assert id == to_string(post.id)
     end
 
-    test "filters user's statuses by a hashtag", %{conn: conn} do
-      user = insert(:user)
+    test "filters user's statuses by a hashtag", %{user: user, conn: conn} do
       {:ok, post} = CommonAPI.post(user, %{"status" => "#hashtag"})
       {:ok, _post} = CommonAPI.post(user, %{"status" => "hashtag"})
 
-      conn =
-        conn
-        |> get("/api/v1/accounts/#{user.id}/statuses", %{"tagged" => "hashtag"})
+      conn = get(conn, "/api/v1/accounts/#{user.id}/statuses", %{"tagged" => "hashtag"})
 
       assert [%{"id" => id}] = json_response(conn, 200)
       assert id == to_string(post.id)
     end
 
-    test "the user views their own timelines and excludes direct messages", %{conn: conn} do
-      user = insert(:user)
+    test "the user views their own timelines and excludes direct messages", %{
+      user: user,
+      conn: conn
+    } do
       {:ok, public_activity} = CommonAPI.post(user, %{"status" => ".", "visibility" => "public"})
       {:ok, _direct_activity} = CommonAPI.post(user, %{"status" => ".", "visibility" => "direct"})
 
       conn =
-        conn
-        |> assign(:user, user)
-        |> get("/api/v1/accounts/#{user.id}/statuses", %{"exclude_visibilities" => ["direct"]})
+        get(conn, "/api/v1/accounts/#{user.id}/statuses", %{"exclude_visibilities" => ["direct"]})
 
       assert [%{"id" => id}] = json_response(conn, 200)
       assert id == to_string(public_activity.id)
@@ -321,46 +298,42 @@ test "the user views their own timelines and excludes direct messages", %{conn:
   end
 
   describe "followers" do
-    test "getting followers", %{conn: conn} do
-      user = insert(:user)
+    setup do: oauth_access(["read:accounts"])
+
+    test "getting followers", %{user: user, conn: conn} do
       other_user = insert(:user)
       {:ok, user} = User.follow(user, other_user)
 
-      conn =
-        conn
-        |> get("/api/v1/accounts/#{other_user.id}/followers")
+      conn = get(conn, "/api/v1/accounts/#{other_user.id}/followers")
 
       assert [%{"id" => id}] = json_response(conn, 200)
       assert id == to_string(user.id)
     end
 
-    test "getting followers, hide_followers", %{conn: conn} do
-      user = insert(:user)
+    test "getting followers, hide_followers", %{user: user, conn: conn} do
       other_user = insert(:user, hide_followers: true)
       {:ok, _user} = User.follow(user, other_user)
 
-      conn =
-        conn
-        |> get("/api/v1/accounts/#{other_user.id}/followers")
+      conn = get(conn, "/api/v1/accounts/#{other_user.id}/followers")
 
       assert [] == json_response(conn, 200)
     end
 
-    test "getting followers, hide_followers, same user requesting", %{conn: conn} do
+    test "getting followers, hide_followers, same user requesting" do
       user = insert(:user)
       other_user = insert(:user, hide_followers: true)
       {:ok, _user} = User.follow(user, other_user)
 
       conn =
-        conn
+        build_conn()
         |> assign(:user, other_user)
+        |> assign(:token, insert(:oauth_token, user: other_user, scopes: ["read:accounts"]))
         |> get("/api/v1/accounts/#{other_user.id}/followers")
 
       refute [] == json_response(conn, 200)
     end
 
-    test "getting followers, pagination", %{conn: conn} do
-      user = insert(:user)
+    test "getting followers, pagination", %{user: user, conn: conn} do
       follower1 = insert(:user)
       follower2 = insert(:user)
       follower3 = insert(:user)
@@ -368,29 +341,19 @@ test "getting followers, pagination", %{conn: conn} do
       {:ok, _} = User.follow(follower2, user)
       {:ok, _} = User.follow(follower3, user)
 
-      conn =
-        conn
-        |> assign(:user, user)
-
-      res_conn =
-        conn
-        |> get("/api/v1/accounts/#{user.id}/followers?since_id=#{follower1.id}")
+      res_conn = get(conn, "/api/v1/accounts/#{user.id}/followers?since_id=#{follower1.id}")
 
       assert [%{"id" => id3}, %{"id" => id2}] = json_response(res_conn, 200)
       assert id3 == follower3.id
       assert id2 == follower2.id
 
-      res_conn =
-        conn
-        |> get("/api/v1/accounts/#{user.id}/followers?max_id=#{follower3.id}")
+      res_conn = get(conn, "/api/v1/accounts/#{user.id}/followers?max_id=#{follower3.id}")
 
       assert [%{"id" => id2}, %{"id" => id1}] = json_response(res_conn, 200)
       assert id2 == follower2.id
       assert id1 == follower1.id
 
-      res_conn =
-        conn
-        |> get("/api/v1/accounts/#{user.id}/followers?limit=1&max_id=#{follower3.id}")
+      res_conn = get(conn, "/api/v1/accounts/#{user.id}/followers?limit=1&max_id=#{follower3.id}")
 
       assert [%{"id" => id2}] = json_response(res_conn, 200)
       assert id2 == follower2.id
@@ -402,46 +365,47 @@ test "getting followers, pagination", %{conn: conn} do
   end
 
   describe "following" do
-    test "getting following", %{conn: conn} do
-      user = insert(:user)
+    setup do: oauth_access(["read:accounts"])
+
+    test "getting following", %{user: user, conn: conn} do
       other_user = insert(:user)
       {:ok, user} = User.follow(user, other_user)
 
-      conn =
-        conn
-        |> get("/api/v1/accounts/#{user.id}/following")
+      conn = get(conn, "/api/v1/accounts/#{user.id}/following")
 
       assert [%{"id" => id}] = json_response(conn, 200)
       assert id == to_string(other_user.id)
     end
 
-    test "getting following, hide_follows", %{conn: conn} do
+    test "getting following, hide_follows, other user requesting" do
       user = insert(:user, hide_follows: true)
       other_user = insert(:user)
       {:ok, user} = User.follow(user, other_user)
 
       conn =
-        conn
+        build_conn()
+        |> assign(:user, other_user)
+        |> assign(:token, insert(:oauth_token, user: other_user, scopes: ["read:accounts"]))
         |> get("/api/v1/accounts/#{user.id}/following")
 
       assert [] == json_response(conn, 200)
     end
 
-    test "getting following, hide_follows, same user requesting", %{conn: conn} do
+    test "getting following, hide_follows, same user requesting" do
       user = insert(:user, hide_follows: true)
       other_user = insert(:user)
       {:ok, user} = User.follow(user, other_user)
 
       conn =
-        conn
+        build_conn()
         |> assign(:user, user)
+        |> assign(:token, insert(:oauth_token, user: user, scopes: ["read:accounts"]))
         |> get("/api/v1/accounts/#{user.id}/following")
 
       refute [] == json_response(conn, 200)
     end
 
-    test "getting following, pagination", %{conn: conn} do
-      user = insert(:user)
+    test "getting following, pagination", %{user: user, conn: conn} do
       following1 = insert(:user)
       following2 = insert(:user)
       following3 = insert(:user)
@@ -449,29 +413,20 @@ test "getting following, pagination", %{conn: conn} do
       {:ok, _} = User.follow(user, following2)
       {:ok, _} = User.follow(user, following3)
 
-      conn =
-        conn
-        |> assign(:user, user)
-
-      res_conn =
-        conn
-        |> get("/api/v1/accounts/#{user.id}/following?since_id=#{following1.id}")
+      res_conn = get(conn, "/api/v1/accounts/#{user.id}/following?since_id=#{following1.id}")
 
       assert [%{"id" => id3}, %{"id" => id2}] = json_response(res_conn, 200)
       assert id3 == following3.id
       assert id2 == following2.id
 
-      res_conn =
-        conn
-        |> get("/api/v1/accounts/#{user.id}/following?max_id=#{following3.id}")
+      res_conn = get(conn, "/api/v1/accounts/#{user.id}/following?max_id=#{following3.id}")
 
       assert [%{"id" => id2}, %{"id" => id1}] = json_response(res_conn, 200)
       assert id2 == following2.id
       assert id1 == following1.id
 
       res_conn =
-        conn
-        |> get("/api/v1/accounts/#{user.id}/following?limit=1&max_id=#{following3.id}")
+        get(conn, "/api/v1/accounts/#{user.id}/following?limit=1&max_id=#{following3.id}")
 
       assert [%{"id" => id2}] = json_response(res_conn, 200)
       assert id2 == following2.id
@@ -483,82 +438,52 @@ test "getting following, pagination", %{conn: conn} do
   end
 
   describe "follow/unfollow" do
+    setup do: oauth_access(["follow"])
+
     test "following / unfollowing a user", %{conn: conn} do
-      user = insert(:user)
       other_user = insert(:user)
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/accounts/#{other_user.id}/follow")
+      ret_conn = post(conn, "/api/v1/accounts/#{other_user.id}/follow")
 
-      assert %{"id" => _id, "following" => true} = json_response(conn, 200)
+      assert %{"id" => _id, "following" => true} = json_response(ret_conn, 200)
 
-      user = User.get_cached_by_id(user.id)
+      ret_conn = post(conn, "/api/v1/accounts/#{other_user.id}/unfollow")
 
-      conn =
-        build_conn()
-        |> assign(:user, user)
-        |> post("/api/v1/accounts/#{other_user.id}/unfollow")
+      assert %{"id" => _id, "following" => false} = json_response(ret_conn, 200)
 
-      assert %{"id" => _id, "following" => false} = json_response(conn, 200)
-
-      user = User.get_cached_by_id(user.id)
-
-      conn =
-        build_conn()
-        |> assign(:user, user)
-        |> post("/api/v1/follows", %{"uri" => other_user.nickname})
+      conn = post(conn, "/api/v1/follows", %{"uri" => other_user.nickname})
 
       assert %{"id" => id} = json_response(conn, 200)
       assert id == to_string(other_user.id)
     end
 
     test "following without reblogs" do
-      follower = insert(:user)
+      %{conn: conn} = oauth_access(["follow", "read:statuses"])
       followed = insert(:user)
       other_user = insert(:user)
 
-      conn =
-        build_conn()
-        |> assign(:user, follower)
-        |> post("/api/v1/accounts/#{followed.id}/follow?reblogs=false")
+      ret_conn = post(conn, "/api/v1/accounts/#{followed.id}/follow?reblogs=false")
 
-      assert %{"showing_reblogs" => false} = json_response(conn, 200)
+      assert %{"showing_reblogs" => false} = json_response(ret_conn, 200)
 
       {:ok, activity} = CommonAPI.post(other_user, %{"status" => "hey"})
       {:ok, reblog, _} = CommonAPI.repeat(activity.id, followed)
 
-      conn =
-        build_conn()
-        |> assign(:user, User.get_cached_by_id(follower.id))
-        |> get("/api/v1/timelines/home")
+      ret_conn = get(conn, "/api/v1/timelines/home")
 
-      assert [] == json_response(conn, 200)
+      assert [] == json_response(ret_conn, 200)
 
-      conn =
-        build_conn()
-        |> assign(:user, User.get_cached_by_id(follower.id))
-        |> post("/api/v1/accounts/#{followed.id}/follow?reblogs=true")
+      ret_conn = post(conn, "/api/v1/accounts/#{followed.id}/follow?reblogs=true")
 
-      assert %{"showing_reblogs" => true} = json_response(conn, 200)
+      assert %{"showing_reblogs" => true} = json_response(ret_conn, 200)
 
-      conn =
-        build_conn()
-        |> assign(:user, User.get_cached_by_id(follower.id))
-        |> get("/api/v1/timelines/home")
+      conn = get(conn, "/api/v1/timelines/home")
 
       expected_activity_id = reblog.id
       assert [%{"id" => ^expected_activity_id}] = json_response(conn, 200)
     end
 
-    test "following / unfollowing errors" do
-      user = insert(:user)
-
-      conn =
-        build_conn()
-        |> assign(:user, user)
-
+    test "following / unfollowing errors", %{user: user, conn: conn} do
       # self follow
       conn_res = post(conn, "/api/v1/accounts/#{user.id}/follow")
       assert %{"error" => "Record not found"} = json_response(conn_res, 404)
@@ -588,47 +513,34 @@ test "following / unfollowing errors" do
   end
 
   describe "mute/unmute" do
+    setup do: oauth_access(["write:mutes"])
+
     test "with notifications", %{conn: conn} do
-      user = insert(:user)
       other_user = insert(:user)
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/accounts/#{other_user.id}/mute")
+      ret_conn = post(conn, "/api/v1/accounts/#{other_user.id}/mute")
 
-      response = json_response(conn, 200)
+      response = json_response(ret_conn, 200)
 
       assert %{"id" => _id, "muting" => true, "muting_notifications" => true} = response
-      user = User.get_cached_by_id(user.id)
 
-      conn =
-        build_conn()
-        |> assign(:user, user)
-        |> post("/api/v1/accounts/#{other_user.id}/unmute")
+      conn = post(conn, "/api/v1/accounts/#{other_user.id}/unmute")
 
       response = json_response(conn, 200)
       assert %{"id" => _id, "muting" => false, "muting_notifications" => false} = response
     end
 
     test "without notifications", %{conn: conn} do
-      user = insert(:user)
       other_user = insert(:user)
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/accounts/#{other_user.id}/mute", %{"notifications" => "false"})
+      ret_conn =
+        post(conn, "/api/v1/accounts/#{other_user.id}/mute", %{"notifications" => "false"})
 
-      response = json_response(conn, 200)
+      response = json_response(ret_conn, 200)
 
       assert %{"id" => _id, "muting" => true, "muting_notifications" => false} = response
-      user = User.get_cached_by_id(user.id)
 
-      conn =
-        build_conn()
-        |> assign(:user, user)
-        |> post("/api/v1/accounts/#{other_user.id}/unmute")
+      conn = post(conn, "/api/v1/accounts/#{other_user.id}/unmute")
 
       response = json_response(conn, 200)
       assert %{"id" => _id, "muting" => false, "muting_notifications" => false} = response
@@ -639,8 +551,9 @@ test "without notifications", %{conn: conn} do
     setup do
       user = insert(:user)
       {:ok, activity} = CommonAPI.post(user, %{"status" => "HI!!!"})
+      %{conn: conn} = oauth_access(["read:statuses"], user: user)
 
-      [user: user, activity: activity]
+      [conn: conn, user: user, activity: activity]
     end
 
     test "returns pinned statuses", %{conn: conn, user: user, activity: activity} do
@@ -648,7 +561,6 @@ test "returns pinned statuses", %{conn: conn, user: user, activity: activity} do
 
       result =
         conn
-        |> assign(:user, user)
         |> get("/api/v1/accounts/#{user.id}/statuses?pinned=true")
         |> json_response(200)
 
@@ -658,23 +570,15 @@ test "returns pinned statuses", %{conn: conn, user: user, activity: activity} do
     end
   end
 
-  test "blocking / unblocking a user", %{conn: conn} do
-    user = insert(:user)
+  test "blocking / unblocking a user" do
+    %{conn: conn} = oauth_access(["follow"])
     other_user = insert(:user)
 
-    conn =
-      conn
-      |> assign(:user, user)
-      |> post("/api/v1/accounts/#{other_user.id}/block")
+    ret_conn = post(conn, "/api/v1/accounts/#{other_user.id}/block")
 
-    assert %{"id" => _id, "blocking" => true} = json_response(conn, 200)
+    assert %{"id" => _id, "blocking" => true} = json_response(ret_conn, 200)
 
-    user = User.get_cached_by_id(user.id)
-
-    conn =
-      build_conn()
-      |> assign(:user, user)
-      |> post("/api/v1/accounts/#{other_user.id}/unblock")
+    conn = post(conn, "/api/v1/accounts/#{other_user.id}/unblock")
 
     assert %{"id" => _id, "blocking" => false} = json_response(conn, 200)
   end
@@ -693,8 +597,7 @@ test "blocking / unblocking a user", %{conn: conn} do
 
     test "Account registration via Application", %{conn: conn} do
       conn =
-        conn
-        |> post("/api/v1/apps", %{
+        post(conn, "/api/v1/apps", %{
           client_name: "client_name",
           redirect_uris: "urn:ietf:wg:oauth:2.0:oob",
           scopes: "read, write, follow"
@@ -711,8 +614,7 @@ test "Account registration via Application", %{conn: conn} do
       } = json_response(conn, 200)
 
       conn =
-        conn
-        |> post("/oauth/token", %{
+        post(conn, "/oauth/token", %{
           grant_type: "client_credentials",
           client_id: client_id,
           client_secret: client_secret
@@ -769,13 +671,13 @@ test "rate limit", %{conn: conn} do
       app_token = insert(:oauth_token, user: nil)
 
       conn =
-        put_req_header(conn, "authorization", "Bearer " <> app_token.token)
+        conn
+        |> put_req_header("authorization", "Bearer " <> app_token.token)
         |> Map.put(:remote_ip, {15, 15, 15, 15})
 
       for i <- 1..5 do
         conn =
-          conn
-          |> post("/api/v1/accounts", %{
+          post(conn, "/api/v1/accounts", %{
             username: "#{i}lain",
             email: "#{i}lain@example.org",
             password: "PlzDontHackLain",
@@ -798,8 +700,7 @@ test "rate limit", %{conn: conn} do
       end
 
       conn =
-        conn
-        |> post("/api/v1/accounts", %{
+        post(conn, "/api/v1/accounts", %{
           username: "6lain",
           email: "6lain@example.org",
           password: "PlzDontHackLain",
@@ -815,9 +716,7 @@ test "returns bad_request if missing required params", %{
     } do
       app_token = insert(:oauth_token, user: nil)
 
-      conn =
-        conn
-        |> put_req_header("authorization", "Bearer " <> app_token.token)
+      conn = put_req_header(conn, "authorization", "Bearer " <> app_token.token)
 
       res = post(conn, "/api/v1/accounts", valid_params)
       assert json_response(res, 200)
@@ -836,9 +735,7 @@ test "returns bad_request if missing required params", %{
     end
 
     test "returns forbidden if token is invalid", %{conn: conn, valid_params: valid_params} do
-      conn =
-        conn
-        |> put_req_header("authorization", "Bearer " <> "invalid-token")
+      conn = put_req_header(conn, "authorization", "Bearer " <> "invalid-token")
 
       res = post(conn, "/api/v1/accounts", valid_params)
       assert json_response(res, 403) == %{"error" => "Invalid credentials"}
@@ -846,15 +743,14 @@ test "returns forbidden if token is invalid", %{conn: conn, valid_params: valid_
   end
 
   describe "GET /api/v1/accounts/:id/lists - account_lists" do
-    test "returns lists to which the account belongs", %{conn: conn} do
-      user = insert(:user)
+    test "returns lists to which the account belongs" do
+      %{user: user, conn: conn} = oauth_access(["read:lists"])
       other_user = insert(:user)
       assert {:ok, %Pleroma.List{} = list} = Pleroma.List.create("Test List", user)
       {:ok, %{following: _following}} = Pleroma.List.follow(list, other_user)
 
       res =
         conn
-        |> assign(:user, user)
         |> get("/api/v1/accounts/#{other_user.id}/lists")
         |> json_response(200)
 
@@ -863,13 +759,9 @@ test "returns lists to which the account belongs", %{conn: conn} do
   end
 
   describe "verify_credentials" do
-    test "verify_credentials", %{conn: conn} do
-      user = insert(:user)
-
-      conn =
-        conn
-        |> assign(:user, user)
-        |> get("/api/v1/accounts/verify_credentials")
+    test "verify_credentials" do
+      %{user: user, conn: conn} = oauth_access(["read:accounts"])
+      conn = get(conn, "/api/v1/accounts/verify_credentials")
 
       response = json_response(conn, 200)
 
@@ -878,25 +770,21 @@ test "verify_credentials", %{conn: conn} do
       assert id == to_string(user.id)
     end
 
-    test "verify_credentials default scope unlisted", %{conn: conn} do
+    test "verify_credentials default scope unlisted" do
       user = insert(:user, default_scope: "unlisted")
+      %{conn: conn} = oauth_access(["read:accounts"], user: user)
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> get("/api/v1/accounts/verify_credentials")
+      conn = get(conn, "/api/v1/accounts/verify_credentials")
 
       assert %{"id" => id, "source" => %{"privacy" => "unlisted"}} = json_response(conn, 200)
       assert id == to_string(user.id)
     end
 
-    test "locked accounts", %{conn: conn} do
+    test "locked accounts" do
       user = insert(:user, default_scope: "private")
+      %{conn: conn} = oauth_access(["read:accounts"], user: user)
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> get("/api/v1/accounts/verify_credentials")
+      conn = get(conn, "/api/v1/accounts/verify_credentials")
 
       assert %{"id" => id, "source" => %{"privacy" => "private"}} = json_response(conn, 200)
       assert id == to_string(user.id)
@@ -904,15 +792,13 @@ test "locked accounts", %{conn: conn} do
   end
 
   describe "user relationships" do
-    test "returns the relationships for the current user", %{conn: conn} do
-      user = insert(:user)
-      other_user = insert(:user)
-      {:ok, user} = User.follow(user, other_user)
+    setup do: oauth_access(["read:follows"])
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> get("/api/v1/accounts/relationships", %{"id" => [other_user.id]})
+    test "returns the relationships for the current user", %{user: user, conn: conn} do
+      other_user = insert(:user)
+      {:ok, _user} = User.follow(user, other_user)
+
+      conn = get(conn, "/api/v1/accounts/relationships", %{"id" => [other_user.id]})
 
       assert [relationship] = json_response(conn, 200)
 
@@ -920,34 +806,26 @@ test "returns the relationships for the current user", %{conn: conn} do
     end
 
     test "returns an empty list on a bad request", %{conn: conn} do
-      user = insert(:user)
-
-      conn =
-        conn
-        |> assign(:user, user)
-        |> get("/api/v1/accounts/relationships", %{})
+      conn = get(conn, "/api/v1/accounts/relationships", %{})
 
       assert [] = json_response(conn, 200)
     end
   end
 
-  test "getting a list of mutes", %{conn: conn} do
-    user = insert(:user)
+  test "getting a list of mutes" do
+    %{user: user, conn: conn} = oauth_access(["read:mutes"])
     other_user = insert(:user)
 
     {:ok, _user_relationships} = User.mute(user, other_user)
 
-    conn =
-      conn
-      |> assign(:user, user)
-      |> get("/api/v1/mutes")
+    conn = get(conn, "/api/v1/mutes")
 
     other_user_id = to_string(other_user.id)
     assert [%{"id" => ^other_user_id}] = json_response(conn, 200)
   end
 
-  test "getting a list of blocks", %{conn: conn} do
-    user = insert(:user)
+  test "getting a list of blocks" do
+    %{user: user, conn: conn} = oauth_access(["read:blocks"])
     other_user = insert(:user)
 
     {:ok, _user_relationship} = User.block(user, other_user)
diff --git a/test/web/mastodon_api/controllers/conversation_controller_test.exs b/test/web/mastodon_api/controllers/conversation_controller_test.exs
index 2a1223b18..4bb9781a6 100644
--- a/test/web/mastodon_api/controllers/conversation_controller_test.exs
+++ b/test/web/mastodon_api/controllers/conversation_controller_test.exs
@@ -10,8 +10,9 @@ defmodule Pleroma.Web.MastodonAPI.ConversationControllerTest do
 
   import Pleroma.Factory
 
-  test "returns a list of conversations", %{conn: conn} do
-    user_one = insert(:user)
+  setup do: oauth_access(["read:statuses"])
+
+  test "returns a list of conversations", %{user: user_one, conn: conn} do
     user_two = insert(:user)
     user_three = insert(:user)
 
@@ -33,10 +34,7 @@ test "returns a list of conversations", %{conn: conn} do
         "visibility" => "private"
       })
 
-    res_conn =
-      conn
-      |> assign(:user, user_one)
-      |> get("/api/v1/conversations")
+    res_conn = get(conn, "/api/v1/conversations")
 
     assert response = json_response(res_conn, 200)
 
@@ -59,8 +57,7 @@ test "returns a list of conversations", %{conn: conn} do
     assert User.get_cached_by_id(user_one.id).unread_conversation_count == 0
   end
 
-  test "filters conversations by recipients", %{conn: conn} do
-    user_one = insert(:user)
+  test "filters conversations by recipients", %{user: user_one, conn: conn} do
     user_two = insert(:user)
     user_three = insert(:user)
 
@@ -96,7 +93,6 @@ test "filters conversations by recipients", %{conn: conn} do
 
     [conversation1, conversation2] =
       conn
-      |> assign(:user, user_one)
       |> get("/api/v1/conversations", %{"recipients" => [user_two.id]})
       |> json_response(200)
 
@@ -105,15 +101,13 @@ test "filters conversations by recipients", %{conn: conn} do
 
     [conversation1] =
       conn
-      |> assign(:user, user_one)
       |> get("/api/v1/conversations", %{"recipients" => [user_two.id, user_three.id]})
       |> json_response(200)
 
     assert conversation1["last_status"]["id"] == direct3.id
   end
 
-  test "updates the last_status on reply", %{conn: conn} do
-    user_one = insert(:user)
+  test "updates the last_status on reply", %{user: user_one, conn: conn} do
     user_two = insert(:user)
 
     {:ok, direct} =
@@ -131,15 +125,13 @@ test "updates the last_status on reply", %{conn: conn} do
 
     [%{"last_status" => res_last_status}] =
       conn
-      |> assign(:user, user_one)
       |> get("/api/v1/conversations")
       |> json_response(200)
 
     assert res_last_status["id"] == direct_reply.id
   end
 
-  test "the user marks a conversation as read", %{conn: conn} do
-    user_one = insert(:user)
+  test "the user marks a conversation as read", %{user: user_one, conn: conn} do
     user_two = insert(:user)
 
     {:ok, direct} =
@@ -151,15 +143,21 @@ test "the user marks a conversation as read", %{conn: conn} do
     assert User.get_cached_by_id(user_one.id).unread_conversation_count == 0
     assert User.get_cached_by_id(user_two.id).unread_conversation_count == 1
 
-    [%{"id" => direct_conversation_id, "unread" => true}] =
-      conn
+    user_two_conn =
+      build_conn()
       |> assign(:user, user_two)
+      |> assign(
+        :token,
+        insert(:oauth_token, user: user_two, scopes: ["read:statuses", "write:conversations"])
+      )
+
+    [%{"id" => direct_conversation_id, "unread" => true}] =
+      user_two_conn
       |> get("/api/v1/conversations")
       |> json_response(200)
 
     %{"unread" => false} =
-      conn
-      |> assign(:user, user_two)
+      user_two_conn
       |> post("/api/v1/conversations/#{direct_conversation_id}/read")
       |> json_response(200)
 
@@ -176,7 +174,6 @@ test "the user marks a conversation as read", %{conn: conn} do
 
     [%{"unread" => true}] =
       conn
-      |> assign(:user, user_one)
       |> get("/api/v1/conversations")
       |> json_response(200)
 
@@ -195,8 +192,7 @@ test "the user marks a conversation as read", %{conn: conn} do
     assert User.get_cached_by_id(user_two.id).unread_conversation_count == 0
   end
 
-  test "(vanilla) Mastodon frontend behaviour", %{conn: conn} do
-    user_one = insert(:user)
+  test "(vanilla) Mastodon frontend behaviour", %{user: user_one, conn: conn} do
     user_two = insert(:user)
 
     {:ok, direct} =
@@ -205,10 +201,7 @@ test "(vanilla) Mastodon frontend behaviour", %{conn: conn} do
         "visibility" => "direct"
       })
 
-    res_conn =
-      conn
-      |> assign(:user, user_one)
-      |> get("/api/v1/statuses/#{direct.id}/context")
+    res_conn = get(conn, "/api/v1/statuses/#{direct.id}/context")
 
     assert %{"ancestors" => [], "descendants" => []} == json_response(res_conn, 200)
   end
diff --git a/test/web/mastodon_api/controllers/domain_block_controller_test.exs b/test/web/mastodon_api/controllers/domain_block_controller_test.exs
index 25a279cdc..55de625ba 100644
--- a/test/web/mastodon_api/controllers/domain_block_controller_test.exs
+++ b/test/web/mastodon_api/controllers/domain_block_controller_test.exs
@@ -9,31 +9,25 @@ defmodule Pleroma.Web.MastodonAPI.DomainBlockControllerTest do
 
   import Pleroma.Factory
 
-  test "blocking / unblocking a domain", %{conn: conn} do
-    user = insert(:user)
+  test "blocking / unblocking a domain" do
+    %{user: user, conn: conn} = oauth_access(["write:blocks"])
     other_user = insert(:user, %{ap_id: "https://dogwhistle.zone/@pundit"})
 
-    conn =
-      conn
-      |> assign(:user, user)
-      |> post("/api/v1/domain_blocks", %{"domain" => "dogwhistle.zone"})
+    ret_conn = post(conn, "/api/v1/domain_blocks", %{"domain" => "dogwhistle.zone"})
 
-    assert %{} = json_response(conn, 200)
+    assert %{} = json_response(ret_conn, 200)
     user = User.get_cached_by_ap_id(user.ap_id)
     assert User.blocks?(user, other_user)
 
-    conn =
-      build_conn()
-      |> assign(:user, user)
-      |> delete("/api/v1/domain_blocks", %{"domain" => "dogwhistle.zone"})
+    ret_conn = delete(conn, "/api/v1/domain_blocks", %{"domain" => "dogwhistle.zone"})
 
-    assert %{} = json_response(conn, 200)
+    assert %{} = json_response(ret_conn, 200)
     user = User.get_cached_by_ap_id(user.ap_id)
     refute User.blocks?(user, other_user)
   end
 
-  test "getting a list of domain blocks", %{conn: conn} do
-    user = insert(:user)
+  test "getting a list of domain blocks" do
+    %{user: user, conn: conn} = oauth_access(["read:blocks"])
 
     {:ok, user} = User.block_domain(user, "bad.site")
     {:ok, user} = User.block_domain(user, "even.worse.site")
diff --git a/test/web/mastodon_api/controllers/filter_controller_test.exs b/test/web/mastodon_api/controllers/filter_controller_test.exs
index 550689788..3aea17ec7 100644
--- a/test/web/mastodon_api/controllers/filter_controller_test.exs
+++ b/test/web/mastodon_api/controllers/filter_controller_test.exs
@@ -7,20 +7,15 @@ defmodule Pleroma.Web.MastodonAPI.FilterControllerTest do
 
   alias Pleroma.Web.MastodonAPI.FilterView
 
-  import Pleroma.Factory
-
-  test "creating a filter", %{conn: conn} do
-    user = insert(:user)
+  test "creating a filter" do
+    %{conn: conn} = oauth_access(["write:filters"])
 
     filter = %Pleroma.Filter{
       phrase: "knights",
       context: ["home"]
     }
 
-    conn =
-      conn
-      |> assign(:user, user)
-      |> post("/api/v1/filters", %{"phrase" => filter.phrase, context: filter.context})
+    conn = post(conn, "/api/v1/filters", %{"phrase" => filter.phrase, context: filter.context})
 
     assert response = json_response(conn, 200)
     assert response["phrase"] == filter.phrase
@@ -30,8 +25,8 @@ test "creating a filter", %{conn: conn} do
     assert response["id"] != ""
   end
 
-  test "fetching a list of filters", %{conn: conn} do
-    user = insert(:user)
+  test "fetching a list of filters" do
+    %{user: user, conn: conn} = oauth_access(["read:filters"])
 
     query_one = %Pleroma.Filter{
       user_id: user.id,
@@ -52,7 +47,6 @@ test "fetching a list of filters", %{conn: conn} do
 
     response =
       conn
-      |> assign(:user, user)
       |> get("/api/v1/filters")
       |> json_response(200)
 
@@ -64,8 +58,8 @@ test "fetching a list of filters", %{conn: conn} do
              )
   end
 
-  test "get a filter", %{conn: conn} do
-    user = insert(:user)
+  test "get a filter" do
+    %{user: user, conn: conn} = oauth_access(["read:filters"])
 
     query = %Pleroma.Filter{
       user_id: user.id,
@@ -76,16 +70,13 @@ test "get a filter", %{conn: conn} do
 
     {:ok, filter} = Pleroma.Filter.create(query)
 
-    conn =
-      conn
-      |> assign(:user, user)
-      |> get("/api/v1/filters/#{filter.filter_id}")
+    conn = get(conn, "/api/v1/filters/#{filter.filter_id}")
 
     assert _response = json_response(conn, 200)
   end
 
-  test "update a filter", %{conn: conn} do
-    user = insert(:user)
+  test "update a filter" do
+    %{user: user, conn: conn} = oauth_access(["write:filters"])
 
     query = %Pleroma.Filter{
       user_id: user.id,
@@ -102,9 +93,7 @@ test "update a filter", %{conn: conn} do
     }
 
     conn =
-      conn
-      |> assign(:user, user)
-      |> put("/api/v1/filters/#{query.filter_id}", %{
+      put(conn, "/api/v1/filters/#{query.filter_id}", %{
         phrase: new.phrase,
         context: new.context
       })
@@ -114,8 +103,8 @@ test "update a filter", %{conn: conn} do
     assert response["context"] == new.context
   end
 
-  test "delete a filter", %{conn: conn} do
-    user = insert(:user)
+  test "delete a filter" do
+    %{user: user, conn: conn} = oauth_access(["write:filters"])
 
     query = %Pleroma.Filter{
       user_id: user.id,
@@ -126,10 +115,7 @@ test "delete a filter", %{conn: conn} do
 
     {:ok, filter} = Pleroma.Filter.create(query)
 
-    conn =
-      conn
-      |> assign(:user, user)
-      |> delete("/api/v1/filters/#{filter.filter_id}")
+    conn = delete(conn, "/api/v1/filters/#{filter.filter_id}")
 
     assert response = json_response(conn, 200)
     assert response == %{}
diff --git a/test/web/mastodon_api/controllers/follow_request_controller_test.exs b/test/web/mastodon_api/controllers/follow_request_controller_test.exs
index 288cd9029..6e4a76501 100644
--- a/test/web/mastodon_api/controllers/follow_request_controller_test.exs
+++ b/test/web/mastodon_api/controllers/follow_request_controller_test.exs
@@ -11,8 +11,13 @@ defmodule Pleroma.Web.MastodonAPI.FollowRequestControllerTest do
   import Pleroma.Factory
 
   describe "locked accounts" do
-    test "/api/v1/follow_requests works" do
+    setup do
       user = insert(:user, locked: true)
+      %{conn: conn} = oauth_access(["follow"], user: user)
+      %{user: user, conn: conn}
+    end
+
+    test "/api/v1/follow_requests works", %{user: user, conn: conn} do
       other_user = insert(:user)
 
       {:ok, _activity} = ActivityPub.follow(other_user, user)
@@ -20,17 +25,13 @@ test "/api/v1/follow_requests works" do
 
       assert User.following?(other_user, user) == false
 
-      conn =
-        build_conn()
-        |> assign(:user, user)
-        |> get("/api/v1/follow_requests")
+      conn = get(conn, "/api/v1/follow_requests")
 
       assert [relationship] = json_response(conn, 200)
       assert to_string(other_user.id) == relationship["id"]
     end
 
-    test "/api/v1/follow_requests/:id/authorize works" do
-      user = insert(:user, locked: true)
+    test "/api/v1/follow_requests/:id/authorize works", %{user: user, conn: conn} do
       other_user = insert(:user)
 
       {:ok, _activity} = ActivityPub.follow(other_user, user)
@@ -41,10 +42,7 @@ test "/api/v1/follow_requests/:id/authorize works" do
 
       assert User.following?(other_user, user) == false
 
-      conn =
-        build_conn()
-        |> assign(:user, user)
-        |> post("/api/v1/follow_requests/#{other_user.id}/authorize")
+      conn = post(conn, "/api/v1/follow_requests/#{other_user.id}/authorize")
 
       assert relationship = json_response(conn, 200)
       assert to_string(other_user.id) == relationship["id"]
@@ -55,18 +53,14 @@ test "/api/v1/follow_requests/:id/authorize works" do
       assert User.following?(other_user, user) == true
     end
 
-    test "/api/v1/follow_requests/:id/reject works" do
-      user = insert(:user, locked: true)
+    test "/api/v1/follow_requests/:id/reject works", %{user: user, conn: conn} do
       other_user = insert(:user)
 
       {:ok, _activity} = ActivityPub.follow(other_user, user)
 
       user = User.get_cached_by_id(user.id)
 
-      conn =
-        build_conn()
-        |> assign(:user, user)
-        |> post("/api/v1/follow_requests/#{other_user.id}/reject")
+      conn = post(conn, "/api/v1/follow_requests/#{other_user.id}/reject")
 
       assert relationship = json_response(conn, 200)
       assert to_string(other_user.id) == relationship["id"]
diff --git a/test/web/mastodon_api/controllers/list_controller_test.exs b/test/web/mastodon_api/controllers/list_controller_test.exs
index 093506309..a6effbb69 100644
--- a/test/web/mastodon_api/controllers/list_controller_test.exs
+++ b/test/web/mastodon_api/controllers/list_controller_test.exs
@@ -9,44 +9,35 @@ defmodule Pleroma.Web.MastodonAPI.ListControllerTest do
 
   import Pleroma.Factory
 
-  test "creating a list", %{conn: conn} do
-    user = insert(:user)
+  test "creating a list" do
+    %{conn: conn} = oauth_access(["write:lists"])
 
-    conn =
-      conn
-      |> assign(:user, user)
-      |> post("/api/v1/lists", %{"title" => "cuties"})
+    conn = post(conn, "/api/v1/lists", %{"title" => "cuties"})
 
     assert %{"title" => title} = json_response(conn, 200)
     assert title == "cuties"
   end
 
-  test "renders error for invalid params", %{conn: conn} do
-    user = insert(:user)
+  test "renders error for invalid params" do
+    %{conn: conn} = oauth_access(["write:lists"])
 
-    conn =
-      conn
-      |> assign(:user, user)
-      |> post("/api/v1/lists", %{"title" => nil})
+    conn = post(conn, "/api/v1/lists", %{"title" => nil})
 
     assert %{"error" => "can't be blank"} == json_response(conn, :unprocessable_entity)
   end
 
-  test "listing a user's lists", %{conn: conn} do
-    user = insert(:user)
+  test "listing a user's lists" do
+    %{conn: conn} = oauth_access(["read:lists", "write:lists"])
 
     conn
-    |> assign(:user, user)
     |> post("/api/v1/lists", %{"title" => "cuties"})
+    |> json_response(:ok)
 
     conn
-    |> assign(:user, user)
     |> post("/api/v1/lists", %{"title" => "cofe"})
+    |> json_response(:ok)
 
-    conn =
-      conn
-      |> assign(:user, user)
-      |> get("/api/v1/lists")
+    conn = get(conn, "/api/v1/lists")
 
     assert [
              %{"id" => _, "title" => "cofe"},
@@ -54,41 +45,35 @@ test "listing a user's lists", %{conn: conn} do
            ] = json_response(conn, :ok)
   end
 
-  test "adding users to a list", %{conn: conn} do
-    user = insert(:user)
+  test "adding users to a list" do
+    %{user: user, conn: conn} = oauth_access(["write:lists"])
     other_user = insert(:user)
     {:ok, list} = Pleroma.List.create("name", user)
 
-    conn =
-      conn
-      |> assign(:user, user)
-      |> post("/api/v1/lists/#{list.id}/accounts", %{"account_ids" => [other_user.id]})
+    conn = post(conn, "/api/v1/lists/#{list.id}/accounts", %{"account_ids" => [other_user.id]})
 
     assert %{} == json_response(conn, 200)
     %Pleroma.List{following: following} = Pleroma.List.get(list.id, user)
     assert following == [other_user.follower_address]
   end
 
-  test "removing users from a list", %{conn: conn} do
-    user = insert(:user)
+  test "removing users from a list" do
+    %{user: user, conn: conn} = oauth_access(["write:lists"])
     other_user = insert(:user)
     third_user = insert(:user)
     {:ok, list} = Pleroma.List.create("name", user)
     {:ok, list} = Pleroma.List.follow(list, other_user)
     {:ok, list} = Pleroma.List.follow(list, third_user)
 
-    conn =
-      conn
-      |> assign(:user, user)
-      |> delete("/api/v1/lists/#{list.id}/accounts", %{"account_ids" => [other_user.id]})
+    conn = delete(conn, "/api/v1/lists/#{list.id}/accounts", %{"account_ids" => [other_user.id]})
 
     assert %{} == json_response(conn, 200)
     %Pleroma.List{following: following} = Pleroma.List.get(list.id, user)
     assert following == [third_user.follower_address]
   end
 
-  test "listing users in a list", %{conn: conn} do
-    user = insert(:user)
+  test "listing users in a list" do
+    %{user: user, conn: conn} = oauth_access(["read:lists"])
     other_user = insert(:user)
     {:ok, list} = Pleroma.List.create("name", user)
     {:ok, list} = Pleroma.List.follow(list, other_user)
@@ -102,8 +87,8 @@ test "listing users in a list", %{conn: conn} do
     assert id == to_string(other_user.id)
   end
 
-  test "retrieving a list", %{conn: conn} do
-    user = insert(:user)
+  test "retrieving a list" do
+    %{user: user, conn: conn} = oauth_access(["read:lists"])
     {:ok, list} = Pleroma.List.create("name", user)
 
     conn =
@@ -115,32 +100,26 @@ test "retrieving a list", %{conn: conn} do
     assert id == to_string(list.id)
   end
 
-  test "renders 404 if list is not found", %{conn: conn} do
-    user = insert(:user)
+  test "renders 404 if list is not found" do
+    %{conn: conn} = oauth_access(["read:lists"])
 
-    conn =
-      conn
-      |> assign(:user, user)
-      |> get("/api/v1/lists/666")
+    conn = get(conn, "/api/v1/lists/666")
 
     assert %{"error" => "List not found"} = json_response(conn, :not_found)
   end
 
-  test "renaming a list", %{conn: conn} do
-    user = insert(:user)
+  test "renaming a list" do
+    %{user: user, conn: conn} = oauth_access(["write:lists"])
     {:ok, list} = Pleroma.List.create("name", user)
 
-    conn =
-      conn
-      |> assign(:user, user)
-      |> put("/api/v1/lists/#{list.id}", %{"title" => "newname"})
+    conn = put(conn, "/api/v1/lists/#{list.id}", %{"title" => "newname"})
 
     assert %{"title" => name} = json_response(conn, 200)
     assert name == "newname"
   end
 
-  test "validates title when renaming a list", %{conn: conn} do
-    user = insert(:user)
+  test "validates title when renaming a list" do
+    %{user: user, conn: conn} = oauth_access(["write:lists"])
     {:ok, list} = Pleroma.List.create("name", user)
 
     conn =
@@ -151,14 +130,11 @@ test "validates title when renaming a list", %{conn: conn} do
     assert %{"error" => "can't be blank"} == json_response(conn, :unprocessable_entity)
   end
 
-  test "deleting a list", %{conn: conn} do
-    user = insert(:user)
+  test "deleting a list" do
+    %{user: user, conn: conn} = oauth_access(["write:lists"])
     {:ok, list} = Pleroma.List.create("name", user)
 
-    conn =
-      conn
-      |> assign(:user, user)
-      |> delete("/api/v1/lists/#{list.id}")
+    conn = delete(conn, "/api/v1/lists/#{list.id}")
 
     assert %{} = json_response(conn, 200)
     assert is_nil(Repo.get(Pleroma.List, list.id))
diff --git a/test/web/mastodon_api/controllers/media_controller_test.exs b/test/web/mastodon_api/controllers/media_controller_test.exs
index 06c6a1cb3..042511ca4 100644
--- a/test/web/mastodon_api/controllers/media_controller_test.exs
+++ b/test/web/mastodon_api/controllers/media_controller_test.exs
@@ -9,23 +9,17 @@ defmodule Pleroma.Web.MastodonAPI.MediaControllerTest do
   alias Pleroma.User
   alias Pleroma.Web.ActivityPub.ActivityPub
 
-  import Pleroma.Factory
+  setup do: oauth_access(["write:media"])
 
   describe "media upload" do
     setup do
-      user = insert(:user)
-
-      conn =
-        build_conn()
-        |> assign(:user, user)
-
       image = %Plug.Upload{
         content_type: "image/jpg",
         path: Path.absname("test/fixtures/image.jpg"),
         filename: "an_image.jpg"
       }
 
-      [conn: conn, image: image]
+      [image: image]
     end
 
     clear_config([:media_proxy])
@@ -49,9 +43,7 @@ test "returns uploaded image", %{conn: conn, image: image} do
   end
 
   describe "PUT /api/v1/media/:id" do
-    setup do
-      actor = insert(:user)
-
+    setup %{user: actor} do
       file = %Plug.Upload{
         content_type: "image/jpg",
         path: Path.absname("test/fixtures/image.jpg"),
@@ -65,13 +57,12 @@ test "returns uploaded image", %{conn: conn, image: image} do
           description: "test-m"
         )
 
-      [actor: actor, object: object]
+      [object: object]
     end
 
-    test "updates name of media", %{conn: conn, actor: actor, object: object} do
+    test "updates name of media", %{conn: conn, object: object} do
       media =
         conn
-        |> assign(:user, actor)
         |> put("/api/v1/media/#{object.id}", %{"description" => "test-media"})
         |> json_response(:ok)
 
@@ -79,10 +70,9 @@ test "updates name of media", %{conn: conn, actor: actor, object: object} do
       assert refresh_record(object).data["name"] == "test-media"
     end
 
-    test "returns error wheb request is bad", %{conn: conn, actor: actor, object: object} do
+    test "returns error when request is bad", %{conn: conn, object: object} do
       media =
         conn
-        |> assign(:user, actor)
         |> put("/api/v1/media/#{object.id}", %{})
         |> json_response(400)
 
diff --git a/test/web/mastodon_api/controllers/notification_controller_test.exs b/test/web/mastodon_api/controllers/notification_controller_test.exs
index 6635ea7a2..86303f92f 100644
--- a/test/web/mastodon_api/controllers/notification_controller_test.exs
+++ b/test/web/mastodon_api/controllers/notification_controller_test.exs
@@ -12,8 +12,8 @@ defmodule Pleroma.Web.MastodonAPI.NotificationControllerTest do
 
   import Pleroma.Factory
 
-  test "list of notifications", %{conn: conn} do
-    user = insert(:user)
+  test "list of notifications" do
+    %{user: user, conn: conn} = oauth_access(["read:notifications"])
     other_user = insert(:user)
 
     {:ok, activity} = CommonAPI.post(other_user, %{"status" => "hi @#{user.nickname}"})
@@ -34,18 +34,15 @@ test "list of notifications", %{conn: conn} do
     assert response == expected_response
   end
 
-  test "getting a single notification", %{conn: conn} do
-    user = insert(:user)
+  test "getting a single notification" do
+    %{user: user, conn: conn} = oauth_access(["read:notifications"])
     other_user = insert(:user)
 
     {:ok, activity} = CommonAPI.post(other_user, %{"status" => "hi @#{user.nickname}"})
 
     {:ok, [notification]} = Notification.create_notifications(activity)
 
-    conn =
-      conn
-      |> assign(:user, user)
-      |> get("/api/v1/notifications/#{notification.id}")
+    conn = get(conn, "/api/v1/notifications/#{notification.id}")
 
     expected_response =
       "hi <span class=\"h-card\"><a data-user=\"#{user.id}\" class=\"u-url mention\" href=\"#{
@@ -56,8 +53,8 @@ test "getting a single notification", %{conn: conn} do
     assert response == expected_response
   end
 
-  test "dismissing a single notification", %{conn: conn} do
-    user = insert(:user)
+  test "dismissing a single notification" do
+    %{user: user, conn: conn} = oauth_access(["write:notifications"])
     other_user = insert(:user)
 
     {:ok, activity} = CommonAPI.post(other_user, %{"status" => "hi @#{user.nickname}"})
@@ -72,32 +69,26 @@ test "dismissing a single notification", %{conn: conn} do
     assert %{} = json_response(conn, 200)
   end
 
-  test "clearing all notifications", %{conn: conn} do
-    user = insert(:user)
+  test "clearing all notifications" do
+    %{user: user, conn: conn} = oauth_access(["write:notifications", "read:notifications"])
     other_user = insert(:user)
 
     {:ok, activity} = CommonAPI.post(other_user, %{"status" => "hi @#{user.nickname}"})
 
     {:ok, [_notification]} = Notification.create_notifications(activity)
 
-    conn =
-      conn
-      |> assign(:user, user)
-      |> post("/api/v1/notifications/clear")
+    ret_conn = post(conn, "/api/v1/notifications/clear")
 
-    assert %{} = json_response(conn, 200)
+    assert %{} = json_response(ret_conn, 200)
 
-    conn =
-      build_conn()
-      |> assign(:user, user)
-      |> get("/api/v1/notifications")
+    ret_conn = get(conn, "/api/v1/notifications")
 
-    assert all = json_response(conn, 200)
+    assert all = json_response(ret_conn, 200)
     assert all == []
   end
 
-  test "paginates notifications using min_id, since_id, max_id, and limit", %{conn: conn} do
-    user = insert(:user)
+  test "paginates notifications using min_id, since_id, max_id, and limit" do
+    %{user: user, conn: conn} = oauth_access(["read:notifications"])
     other_user = insert(:user)
 
     {:ok, activity1} = CommonAPI.post(other_user, %{"status" => "hi @#{user.nickname}"})
@@ -138,8 +129,8 @@ test "paginates notifications using min_id, since_id, max_id, and limit", %{conn
   end
 
   describe "exclude_visibilities" do
-    test "filters notifications for mentions", %{conn: conn} do
-      user = insert(:user)
+    test "filters notifications for mentions" do
+      %{user: user, conn: conn} = oauth_access(["read:notifications"])
       other_user = insert(:user)
 
       {:ok, public_activity} =
@@ -154,8 +145,6 @@ test "filters notifications for mentions", %{conn: conn} do
       {:ok, private_activity} =
         CommonAPI.post(other_user, %{"status" => "@#{user.nickname}", "visibility" => "private"})
 
-      conn = assign(conn, :user, user)
-
       conn_res =
         get(conn, "/api/v1/notifications", %{
           exclude_visibilities: ["public", "unlisted", "private"]
@@ -189,9 +178,9 @@ test "filters notifications for mentions", %{conn: conn} do
       assert id == public_activity.id
     end
 
-    test "filters notifications for Like activities", %{conn: conn} do
+    test "filters notifications for Like activities" do
       user = insert(:user)
-      other_user = insert(:user)
+      %{user: other_user, conn: conn} = oauth_access(["read:notifications"])
 
       {:ok, public_activity} =
         CommonAPI.post(other_user, %{"status" => ".", "visibility" => "public"})
@@ -212,7 +201,6 @@ test "filters notifications for Like activities", %{conn: conn} do
 
       activity_ids =
         conn
-        |> assign(:user, other_user)
         |> get("/api/v1/notifications", %{exclude_visibilities: ["direct"]})
         |> json_response(200)
         |> Enum.map(& &1["status"]["id"])
@@ -224,7 +212,6 @@ test "filters notifications for Like activities", %{conn: conn} do
 
       activity_ids =
         conn
-        |> assign(:user, other_user)
         |> get("/api/v1/notifications", %{exclude_visibilities: ["unlisted"]})
         |> json_response(200)
         |> Enum.map(& &1["status"]["id"])
@@ -236,7 +223,6 @@ test "filters notifications for Like activities", %{conn: conn} do
 
       activity_ids =
         conn
-        |> assign(:user, other_user)
         |> get("/api/v1/notifications", %{exclude_visibilities: ["private"]})
         |> json_response(200)
         |> Enum.map(& &1["status"]["id"])
@@ -248,7 +234,6 @@ test "filters notifications for Like activities", %{conn: conn} do
 
       activity_ids =
         conn
-        |> assign(:user, other_user)
         |> get("/api/v1/notifications", %{exclude_visibilities: ["public"]})
         |> json_response(200)
         |> Enum.map(& &1["status"]["id"])
@@ -259,9 +244,9 @@ test "filters notifications for Like activities", %{conn: conn} do
       assert direct_activity.id in activity_ids
     end
 
-    test "filters notifications for Announce activities", %{conn: conn} do
+    test "filters notifications for Announce activities" do
       user = insert(:user)
-      other_user = insert(:user)
+      %{user: other_user, conn: conn} = oauth_access(["read:notifications"])
 
       {:ok, public_activity} =
         CommonAPI.post(other_user, %{"status" => ".", "visibility" => "public"})
@@ -274,7 +259,6 @@ test "filters notifications for Announce activities", %{conn: conn} do
 
       activity_ids =
         conn
-        |> assign(:user, other_user)
         |> get("/api/v1/notifications", %{exclude_visibilities: ["unlisted"]})
         |> json_response(200)
         |> Enum.map(& &1["status"]["id"])
@@ -284,8 +268,8 @@ test "filters notifications for Announce activities", %{conn: conn} do
     end
   end
 
-  test "filters notifications using exclude_types", %{conn: conn} do
-    user = insert(:user)
+  test "filters notifications using exclude_types" do
+    %{user: user, conn: conn} = oauth_access(["read:notifications"])
     other_user = insert(:user)
 
     {:ok, mention_activity} = CommonAPI.post(other_user, %{"status" => "hey @#{user.nickname}"})
@@ -299,8 +283,6 @@ test "filters notifications using exclude_types", %{conn: conn} do
     reblog_notification_id = get_notification_id_by_activity(reblog_activity)
     follow_notification_id = get_notification_id_by_activity(follow_activity)
 
-    conn = assign(conn, :user, user)
-
     conn_res =
       get(conn, "/api/v1/notifications", %{exclude_types: ["mention", "favourite", "reblog"]})
 
@@ -322,8 +304,8 @@ test "filters notifications using exclude_types", %{conn: conn} do
     assert [%{"id" => ^reblog_notification_id}] = json_response(conn_res, 200)
   end
 
-  test "destroy multiple", %{conn: conn} do
-    user = insert(:user)
+  test "destroy multiple" do
+    %{user: user, conn: conn} = oauth_access(["read:notifications", "write:notifications"])
     other_user = insert(:user)
 
     {:ok, activity1} = CommonAPI.post(other_user, %{"status" => "hi @#{user.nickname}"})
@@ -336,8 +318,6 @@ test "destroy multiple", %{conn: conn} do
     notification3_id = get_notification_id_by_activity(activity3)
     notification4_id = get_notification_id_by_activity(activity4)
 
-    conn = assign(conn, :user, user)
-
     result =
       conn
       |> get("/api/v1/notifications")
@@ -348,6 +328,7 @@ test "destroy multiple", %{conn: conn} do
     conn2 =
       conn
       |> assign(:user, other_user)
+      |> assign(:token, insert(:oauth_token, user: other_user, scopes: ["read:notifications"]))
 
     result =
       conn2
@@ -372,97 +353,110 @@ test "destroy multiple", %{conn: conn} do
     assert [%{"id" => ^notification4_id}, %{"id" => ^notification3_id}] = result
   end
 
-  test "doesn't see notifications after muting user with notifications", %{conn: conn} do
-    user = insert(:user)
+  test "doesn't see notifications after muting user with notifications" do
+    %{user: user, conn: conn} = oauth_access(["read:notifications"])
     user2 = insert(:user)
 
     {:ok, _, _, _} = CommonAPI.follow(user, user2)
     {:ok, _} = CommonAPI.post(user2, %{"status" => "hey @#{user.nickname}"})
 
-    conn = assign(conn, :user, user)
+    ret_conn = get(conn, "/api/v1/notifications")
 
-    conn = get(conn, "/api/v1/notifications")
-
-    assert length(json_response(conn, 200)) == 1
+    assert length(json_response(ret_conn, 200)) == 1
 
     {:ok, _user_relationships} = User.mute(user, user2)
 
-    conn = assign(build_conn(), :user, user)
     conn = get(conn, "/api/v1/notifications")
 
     assert json_response(conn, 200) == []
   end
 
-  test "see notifications after muting user without notifications", %{conn: conn} do
-    user = insert(:user)
+  test "see notifications after muting user without notifications" do
+    %{user: user, conn: conn} = oauth_access(["read:notifications"])
     user2 = insert(:user)
 
     {:ok, _, _, _} = CommonAPI.follow(user, user2)
     {:ok, _} = CommonAPI.post(user2, %{"status" => "hey @#{user.nickname}"})
 
-    conn = assign(conn, :user, user)
+    ret_conn = get(conn, "/api/v1/notifications")
 
-    conn = get(conn, "/api/v1/notifications")
-
-    assert length(json_response(conn, 200)) == 1
+    assert length(json_response(ret_conn, 200)) == 1
 
     {:ok, _user_relationships} = User.mute(user, user2, false)
 
-    conn = assign(build_conn(), :user, user)
     conn = get(conn, "/api/v1/notifications")
 
     assert length(json_response(conn, 200)) == 1
   end
 
-  test "see notifications after muting user with notifications and with_muted parameter", %{
-    conn: conn
-  } do
-    user = insert(:user)
+  test "see notifications after muting user with notifications and with_muted parameter" do
+    %{user: user, conn: conn} = oauth_access(["read:notifications"])
     user2 = insert(:user)
 
     {:ok, _, _, _} = CommonAPI.follow(user, user2)
     {:ok, _} = CommonAPI.post(user2, %{"status" => "hey @#{user.nickname}"})
 
-    conn = assign(conn, :user, user)
+    ret_conn = get(conn, "/api/v1/notifications")
 
-    conn = get(conn, "/api/v1/notifications")
-
-    assert length(json_response(conn, 200)) == 1
+    assert length(json_response(ret_conn, 200)) == 1
 
     {:ok, _user_relationships} = User.mute(user, user2)
 
-    conn = assign(build_conn(), :user, user)
     conn = get(conn, "/api/v1/notifications", %{"with_muted" => "true"})
 
     assert length(json_response(conn, 200)) == 1
   end
 
-  test "see move notifications with `with_move` parameter", %{
-    conn: conn
-  } do
+  test "see move notifications with `with_move` parameter" do
     old_user = insert(:user)
     new_user = insert(:user, also_known_as: [old_user.ap_id])
-    follower = insert(:user)
+    %{user: follower, conn: conn} = oauth_access(["read:notifications"])
 
     User.follow(follower, old_user)
     Pleroma.Web.ActivityPub.ActivityPub.move(old_user, new_user)
     Pleroma.Tests.ObanHelpers.perform_all()
 
-    conn =
-      conn
-      |> assign(:user, follower)
-      |> get("/api/v1/notifications")
+    ret_conn = get(conn, "/api/v1/notifications")
 
-    assert json_response(conn, 200) == []
+    assert json_response(ret_conn, 200) == []
 
-    conn =
-      build_conn()
-      |> assign(:user, follower)
-      |> get("/api/v1/notifications", %{"with_move" => "true"})
+    conn = get(conn, "/api/v1/notifications", %{"with_move" => "true"})
 
     assert length(json_response(conn, 200)) == 1
   end
 
+  describe "link headers" do
+    test "preserves parameters in link headers" do
+      %{user: user, conn: conn} = oauth_access(["read:notifications"])
+      other_user = insert(:user)
+
+      {:ok, activity1} =
+        CommonAPI.post(other_user, %{
+          "status" => "hi @#{user.nickname}",
+          "visibility" => "public"
+        })
+
+      {:ok, activity2} =
+        CommonAPI.post(other_user, %{
+          "status" => "hi @#{user.nickname}",
+          "visibility" => "public"
+        })
+
+      notification1 = Repo.get_by(Notification, activity_id: activity1.id)
+      notification2 = Repo.get_by(Notification, activity_id: activity2.id)
+
+      conn =
+        conn
+        |> assign(:user, user)
+        |> get("/api/v1/notifications", %{media_only: true})
+
+      assert [link_header] = get_resp_header(conn, "link")
+      assert link_header =~ ~r/media_only=true/
+      assert link_header =~ ~r/min_id=#{notification2.id}/
+      assert link_header =~ ~r/max_id=#{notification1.id}/
+    end
+  end
+
   defp get_notification_id_by_activity(%{id: id}) do
     Notification
     |> Repo.get_by(activity_id: id)
diff --git a/test/web/mastodon_api/controllers/poll_controller_test.exs b/test/web/mastodon_api/controllers/poll_controller_test.exs
index 40cf3e879..5a1cea11b 100644
--- a/test/web/mastodon_api/controllers/poll_controller_test.exs
+++ b/test/web/mastodon_api/controllers/poll_controller_test.exs
@@ -11,9 +11,9 @@ defmodule Pleroma.Web.MastodonAPI.PollControllerTest do
   import Pleroma.Factory
 
   describe "GET /api/v1/polls/:id" do
-    test "returns poll entity for object id", %{conn: conn} do
-      user = insert(:user)
+    setup do: oauth_access(["read:statuses"])
 
+    test "returns poll entity for object id", %{user: user, conn: conn} do
       {:ok, activity} =
         CommonAPI.post(user, %{
           "status" => "Pleroma does",
@@ -22,10 +22,7 @@ test "returns poll entity for object id", %{conn: conn} do
 
       object = Object.normalize(activity)
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> get("/api/v1/polls/#{object.id}")
+      conn = get(conn, "/api/v1/polls/#{object.id}")
 
       response = json_response(conn, 200)
       id = to_string(object.id)
@@ -33,11 +30,10 @@ test "returns poll entity for object id", %{conn: conn} do
     end
 
     test "does not expose polls for private statuses", %{conn: conn} do
-      user = insert(:user)
       other_user = insert(:user)
 
       {:ok, activity} =
-        CommonAPI.post(user, %{
+        CommonAPI.post(other_user, %{
           "status" => "Pleroma does",
           "poll" => %{"options" => ["what Mastodon't", "n't what Mastodoes"], "expires_in" => 20},
           "visibility" => "private"
@@ -45,22 +41,20 @@ test "does not expose polls for private statuses", %{conn: conn} do
 
       object = Object.normalize(activity)
 
-      conn =
-        conn
-        |> assign(:user, other_user)
-        |> get("/api/v1/polls/#{object.id}")
+      conn = get(conn, "/api/v1/polls/#{object.id}")
 
       assert json_response(conn, 404)
     end
   end
 
   describe "POST /api/v1/polls/:id/votes" do
+    setup do: oauth_access(["write:statuses"])
+
     test "votes are added to the poll", %{conn: conn} do
-      user = insert(:user)
       other_user = insert(:user)
 
       {:ok, activity} =
-        CommonAPI.post(user, %{
+        CommonAPI.post(other_user, %{
           "status" => "A very delicious sandwich",
           "poll" => %{
             "options" => ["Lettuce", "Grilled Bacon", "Tomato"],
@@ -71,10 +65,7 @@ test "votes are added to the poll", %{conn: conn} do
 
       object = Object.normalize(activity)
 
-      conn =
-        conn
-        |> assign(:user, other_user)
-        |> post("/api/v1/polls/#{object.id}/votes", %{"choices" => [0, 1, 2]})
+      conn = post(conn, "/api/v1/polls/#{object.id}/votes", %{"choices" => [0, 1, 2]})
 
       assert json_response(conn, 200)
       object = Object.get_by_id(object.id)
@@ -84,9 +75,7 @@ test "votes are added to the poll", %{conn: conn} do
              end)
     end
 
-    test "author can't vote", %{conn: conn} do
-      user = insert(:user)
-
+    test "author can't vote", %{user: user, conn: conn} do
       {:ok, activity} =
         CommonAPI.post(user, %{
           "status" => "Am I cute?",
@@ -96,7 +85,6 @@ test "author can't vote", %{conn: conn} do
       object = Object.normalize(activity)
 
       assert conn
-             |> assign(:user, user)
              |> post("/api/v1/polls/#{object.id}/votes", %{"choices" => [1]})
              |> json_response(422) == %{"error" => "Poll's author can't vote"}
 
@@ -106,11 +94,10 @@ test "author can't vote", %{conn: conn} do
     end
 
     test "does not allow multiple choices on a single-choice question", %{conn: conn} do
-      user = insert(:user)
       other_user = insert(:user)
 
       {:ok, activity} =
-        CommonAPI.post(user, %{
+        CommonAPI.post(other_user, %{
           "status" => "The glass is",
           "poll" => %{"options" => ["half empty", "half full"], "expires_in" => 20}
         })
@@ -118,7 +105,6 @@ test "does not allow multiple choices on a single-choice question", %{conn: conn
       object = Object.normalize(activity)
 
       assert conn
-             |> assign(:user, other_user)
              |> post("/api/v1/polls/#{object.id}/votes", %{"choices" => [0, 1]})
              |> json_response(422) == %{"error" => "Too many choices"}
 
@@ -130,42 +116,32 @@ test "does not allow multiple choices on a single-choice question", %{conn: conn
     end
 
     test "does not allow choice index to be greater than options count", %{conn: conn} do
-      user = insert(:user)
       other_user = insert(:user)
 
       {:ok, activity} =
-        CommonAPI.post(user, %{
+        CommonAPI.post(other_user, %{
           "status" => "Am I cute?",
           "poll" => %{"options" => ["Yes", "No"], "expires_in" => 20}
         })
 
       object = Object.normalize(activity)
 
-      conn =
-        conn
-        |> assign(:user, other_user)
-        |> post("/api/v1/polls/#{object.id}/votes", %{"choices" => [2]})
+      conn = post(conn, "/api/v1/polls/#{object.id}/votes", %{"choices" => [2]})
 
       assert json_response(conn, 422) == %{"error" => "Invalid indices"}
     end
 
     test "returns 404 error when object is not exist", %{conn: conn} do
-      user = insert(:user)
-
-      conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/polls/1/votes", %{"choices" => [0]})
+      conn = post(conn, "/api/v1/polls/1/votes", %{"choices" => [0]})
 
       assert json_response(conn, 404) == %{"error" => "Record not found"}
     end
 
     test "returns 404 when poll is private and not available for user", %{conn: conn} do
-      user = insert(:user)
       other_user = insert(:user)
 
       {:ok, activity} =
-        CommonAPI.post(user, %{
+        CommonAPI.post(other_user, %{
           "status" => "Am I cute?",
           "poll" => %{"options" => ["Yes", "No"], "expires_in" => 20},
           "visibility" => "private"
@@ -173,10 +149,7 @@ test "returns 404 when poll is private and not available for user", %{conn: conn
 
       object = Object.normalize(activity)
 
-      conn =
-        conn
-        |> assign(:user, other_user)
-        |> post("/api/v1/polls/#{object.id}/votes", %{"choices" => [0]})
+      conn = post(conn, "/api/v1/polls/#{object.id}/votes", %{"choices" => [0]})
 
       assert json_response(conn, 404) == %{"error" => "Record not found"}
     end
diff --git a/test/web/mastodon_api/controllers/report_controller_test.exs b/test/web/mastodon_api/controllers/report_controller_test.exs
index 979ca48f3..53c132ff4 100644
--- a/test/web/mastodon_api/controllers/report_controller_test.exs
+++ b/test/web/mastodon_api/controllers/report_controller_test.exs
@@ -9,32 +9,30 @@ defmodule Pleroma.Web.MastodonAPI.ReportControllerTest do
 
   import Pleroma.Factory
 
+  setup do: oauth_access(["write:reports"])
+
   setup do
-    reporter = insert(:user)
     target_user = insert(:user)
 
     {:ok, activity} = CommonAPI.post(target_user, %{"status" => "foobar"})
 
-    [reporter: reporter, target_user: target_user, activity: activity]
+    [target_user: target_user, activity: activity]
   end
 
-  test "submit a basic report", %{conn: conn, reporter: reporter, target_user: target_user} do
+  test "submit a basic report", %{conn: conn, target_user: target_user} do
     assert %{"action_taken" => false, "id" => _} =
              conn
-             |> assign(:user, reporter)
              |> post("/api/v1/reports", %{"account_id" => target_user.id})
              |> json_response(200)
   end
 
   test "submit a report with statuses and comment", %{
     conn: conn,
-    reporter: reporter,
     target_user: target_user,
     activity: activity
   } do
     assert %{"action_taken" => false, "id" => _} =
              conn
-             |> assign(:user, reporter)
              |> post("/api/v1/reports", %{
                "account_id" => target_user.id,
                "status_ids" => [activity.id],
@@ -46,19 +44,16 @@ test "submit a report with statuses and comment", %{
 
   test "account_id is required", %{
     conn: conn,
-    reporter: reporter,
     activity: activity
   } do
     assert %{"error" => "Valid `account_id` required"} =
              conn
-             |> assign(:user, reporter)
              |> post("/api/v1/reports", %{"status_ids" => [activity.id]})
              |> json_response(400)
   end
 
   test "comment must be up to the size specified in the config", %{
     conn: conn,
-    reporter: reporter,
     target_user: target_user
   } do
     max_size = Pleroma.Config.get([:instance, :max_report_comment_size], 1000)
@@ -68,20 +63,15 @@ test "comment must be up to the size specified in the config", %{
 
     assert ^error =
              conn
-             |> assign(:user, reporter)
              |> post("/api/v1/reports", %{"account_id" => target_user.id, "comment" => comment})
              |> json_response(400)
   end
 
   test "returns error when account is not exist", %{
     conn: conn,
-    reporter: reporter,
     activity: activity
   } do
-    conn =
-      conn
-      |> assign(:user, reporter)
-      |> post("/api/v1/reports", %{"status_ids" => [activity.id], "account_id" => "foo"})
+    conn = post(conn, "/api/v1/reports", %{"status_ids" => [activity.id], "account_id" => "foo"})
 
     assert json_response(conn, 400) == %{"error" => "Account not found"}
   end
diff --git a/test/web/mastodon_api/controllers/scheduled_activity_controller_test.exs b/test/web/mastodon_api/controllers/scheduled_activity_controller_test.exs
index ae5fee2bc..9666a7f2e 100644
--- a/test/web/mastodon_api/controllers/scheduled_activity_controller_test.exs
+++ b/test/web/mastodon_api/controllers/scheduled_activity_controller_test.exs
@@ -10,89 +10,69 @@ defmodule Pleroma.Web.MastodonAPI.ScheduledActivityControllerTest do
 
   import Pleroma.Factory
 
-  test "shows scheduled activities", %{conn: conn} do
-    user = insert(:user)
+  test "shows scheduled activities" do
+    %{user: user, conn: conn} = oauth_access(["read:statuses"])
+
     scheduled_activity_id1 = insert(:scheduled_activity, user: user).id |> to_string()
     scheduled_activity_id2 = insert(:scheduled_activity, user: user).id |> to_string()
     scheduled_activity_id3 = insert(:scheduled_activity, user: user).id |> to_string()
     scheduled_activity_id4 = insert(:scheduled_activity, user: user).id |> to_string()
 
-    conn =
-      conn
-      |> assign(:user, user)
-
     # min_id
-    conn_res =
-      conn
-      |> get("/api/v1/scheduled_statuses?limit=2&min_id=#{scheduled_activity_id1}")
+    conn_res = get(conn, "/api/v1/scheduled_statuses?limit=2&min_id=#{scheduled_activity_id1}")
 
     result = json_response(conn_res, 200)
     assert [%{"id" => ^scheduled_activity_id3}, %{"id" => ^scheduled_activity_id2}] = result
 
     # since_id
-    conn_res =
-      conn
-      |> get("/api/v1/scheduled_statuses?limit=2&since_id=#{scheduled_activity_id1}")
+    conn_res = get(conn, "/api/v1/scheduled_statuses?limit=2&since_id=#{scheduled_activity_id1}")
 
     result = json_response(conn_res, 200)
     assert [%{"id" => ^scheduled_activity_id4}, %{"id" => ^scheduled_activity_id3}] = result
 
     # max_id
-    conn_res =
-      conn
-      |> get("/api/v1/scheduled_statuses?limit=2&max_id=#{scheduled_activity_id4}")
+    conn_res = get(conn, "/api/v1/scheduled_statuses?limit=2&max_id=#{scheduled_activity_id4}")
 
     result = json_response(conn_res, 200)
     assert [%{"id" => ^scheduled_activity_id3}, %{"id" => ^scheduled_activity_id2}] = result
   end
 
-  test "shows a scheduled activity", %{conn: conn} do
-    user = insert(:user)
+  test "shows a scheduled activity" do
+    %{user: user, conn: conn} = oauth_access(["read:statuses"])
     scheduled_activity = insert(:scheduled_activity, user: user)
 
-    res_conn =
-      conn
-      |> assign(:user, user)
-      |> get("/api/v1/scheduled_statuses/#{scheduled_activity.id}")
+    res_conn = get(conn, "/api/v1/scheduled_statuses/#{scheduled_activity.id}")
 
     assert %{"id" => scheduled_activity_id} = json_response(res_conn, 200)
     assert scheduled_activity_id == scheduled_activity.id |> to_string()
 
-    res_conn =
-      conn
-      |> assign(:user, user)
-      |> get("/api/v1/scheduled_statuses/404")
+    res_conn = get(conn, "/api/v1/scheduled_statuses/404")
 
     assert %{"error" => "Record not found"} = json_response(res_conn, 404)
   end
 
-  test "updates a scheduled activity", %{conn: conn} do
-    user = insert(:user)
+  test "updates a scheduled activity" do
+    %{user: user, conn: conn} = oauth_access(["write:statuses"])
     scheduled_activity = insert(:scheduled_activity, user: user)
 
     new_scheduled_at =
       NaiveDateTime.add(NaiveDateTime.utc_now(), :timer.minutes(120), :millisecond)
 
     res_conn =
-      conn
-      |> assign(:user, user)
-      |> put("/api/v1/scheduled_statuses/#{scheduled_activity.id}", %{
+      put(conn, "/api/v1/scheduled_statuses/#{scheduled_activity.id}", %{
         scheduled_at: new_scheduled_at
       })
 
     assert %{"scheduled_at" => expected_scheduled_at} = json_response(res_conn, 200)
     assert expected_scheduled_at == Pleroma.Web.CommonAPI.Utils.to_masto_date(new_scheduled_at)
 
-    res_conn =
-      conn
-      |> assign(:user, user)
-      |> put("/api/v1/scheduled_statuses/404", %{scheduled_at: new_scheduled_at})
+    res_conn = put(conn, "/api/v1/scheduled_statuses/404", %{scheduled_at: new_scheduled_at})
 
     assert %{"error" => "Record not found"} = json_response(res_conn, 404)
   end
 
-  test "deletes a scheduled activity", %{conn: conn} do
-    user = insert(:user)
+  test "deletes a scheduled activity" do
+    %{user: user, conn: conn} = oauth_access(["write:statuses"])
     scheduled_activity = insert(:scheduled_activity, user: user)
 
     res_conn =
diff --git a/test/web/mastodon_api/controllers/search_controller_test.exs b/test/web/mastodon_api/controllers/search_controller_test.exs
index 34deeba47..7fedf42e5 100644
--- a/test/web/mastodon_api/controllers/search_controller_test.exs
+++ b/test/web/mastodon_api/controllers/search_controller_test.exs
@@ -77,13 +77,11 @@ test "search", %{conn: conn} do
 
   describe ".account_search" do
     test "account search", %{conn: conn} do
-      user = insert(:user)
       user_two = insert(:user, %{nickname: "shp@shitposter.club"})
       user_three = insert(:user, %{nickname: "shp@heldscal.la", name: "I love 2hu"})
 
       results =
         conn
-        |> assign(:user, user)
         |> get("/api/v1/accounts/search", %{"q" => "shp"})
         |> json_response(200)
 
@@ -94,7 +92,6 @@ test "account search", %{conn: conn} do
 
       results =
         conn
-        |> assign(:user, user)
         |> get("/api/v1/accounts/search", %{"q" => "2hu"})
         |> json_response(200)
 
@@ -104,11 +101,10 @@ test "account search", %{conn: conn} do
     end
 
     test "returns account if query contains a space", %{conn: conn} do
-      user = insert(:user, %{nickname: "shp@shitposter.club"})
+      insert(:user, %{nickname: "shp@shitposter.club"})
 
       results =
         conn
-        |> assign(:user, user)
         |> get("/api/v1/accounts/search", %{"q" => "shp@shitposter.club xxx "})
         |> json_response(200)
 
@@ -209,6 +205,7 @@ test "search fetches remote accounts", %{conn: conn} do
       conn =
         conn
         |> assign(:user, user)
+        |> assign(:token, insert(:oauth_token, user: user, scopes: ["read"]))
         |> get("/api/v1/search", %{"q" => "mike@osada.macgirvin.com", "resolve" => "true"})
 
       assert results = json_response(conn, 200)
diff --git a/test/web/mastodon_api/controllers/suggestion_controller_test.exs b/test/web/mastodon_api/controllers/suggestion_controller_test.exs
index 78620a873..c4118a576 100644
--- a/test/web/mastodon_api/controllers/suggestion_controller_test.exs
+++ b/test/web/mastodon_api/controllers/suggestion_controller_test.exs
@@ -11,8 +11,9 @@ defmodule Pleroma.Web.MastodonAPI.SuggestionControllerTest do
   import Pleroma.Factory
   import Tesla.Mock
 
-  setup do
-    user = insert(:user)
+  setup do: oauth_access(["read"])
+
+  setup %{user: user} do
     other_user = insert(:user)
     host = Config.get([Pleroma.Web.Endpoint, :url, :host])
     url500 = "http://test500?#{host}&#{user.nickname}"
@@ -32,31 +33,29 @@ defmodule Pleroma.Web.MastodonAPI.SuggestionControllerTest do
         }
     end)
 
-    [user: user, other_user: other_user]
+    [other_user: other_user]
   end
 
   clear_config(:suggestions)
 
-  test "returns empty result when suggestions disabled", %{conn: conn, user: user} do
+  test "returns empty result when suggestions disabled", %{conn: conn} do
     Config.put([:suggestions, :enabled], false)
 
     res =
       conn
-      |> assign(:user, user)
       |> get("/api/v1/suggestions")
       |> json_response(200)
 
     assert res == []
   end
 
-  test "returns error", %{conn: conn, user: user} do
+  test "returns error", %{conn: conn} do
     Config.put([:suggestions, :enabled], true)
     Config.put([:suggestions, :third_party_engine], "http://test500?{{host}}&{{user}}")
 
     assert capture_log(fn ->
              res =
                conn
-               |> assign(:user, user)
                |> get("/api/v1/suggestions")
                |> json_response(500)
 
@@ -64,13 +63,12 @@ test "returns error", %{conn: conn, user: user} do
            end) =~ "Could not retrieve suggestions"
   end
 
-  test "returns suggestions", %{conn: conn, user: user, other_user: other_user} do
+  test "returns suggestions", %{conn: conn, other_user: other_user} do
     Config.put([:suggestions, :enabled], true)
     Config.put([:suggestions, :third_party_engine], "http://test200?{{host}}&{{user}}")
 
     res =
       conn
-      |> assign(:user, user)
       |> get("/api/v1/suggestions")
       |> json_response(200)
 
diff --git a/test/web/mastodon_api/controllers/timeline_controller_test.exs b/test/web/mastodon_api/controllers/timeline_controller_test.exs
index dc17cc963..bb94d8e5a 100644
--- a/test/web/mastodon_api/controllers/timeline_controller_test.exs
+++ b/test/web/mastodon_api/controllers/timeline_controller_test.exs
@@ -20,31 +20,25 @@ defmodule Pleroma.Web.MastodonAPI.TimelineControllerTest do
   end
 
   describe "home" do
-    test "the home timeline", %{conn: conn} do
-      user = insert(:user)
+    setup do: oauth_access(["read:statuses"])
+
+    test "the home timeline", %{user: user, conn: conn} do
       following = insert(:user)
 
       {:ok, _activity} = CommonAPI.post(following, %{"status" => "test"})
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> get("/api/v1/timelines/home")
+      ret_conn = get(conn, "/api/v1/timelines/home")
 
-      assert Enum.empty?(json_response(conn, :ok))
+      assert Enum.empty?(json_response(ret_conn, :ok))
 
-      {:ok, user} = User.follow(user, following)
+      {:ok, _user} = User.follow(user, following)
 
-      conn =
-        build_conn()
-        |> assign(:user, user)
-        |> get("/api/v1/timelines/home")
+      conn = get(conn, "/api/v1/timelines/home")
 
       assert [%{"content" => "test"}] = json_response(conn, :ok)
     end
 
-    test "the home timeline when the direct messages are excluded", %{conn: conn} do
-      user = insert(:user)
+    test "the home timeline when the direct messages are excluded", %{user: user, conn: conn} do
       {:ok, public_activity} = CommonAPI.post(user, %{"status" => ".", "visibility" => "public"})
       {:ok, direct_activity} = CommonAPI.post(user, %{"status" => ".", "visibility" => "direct"})
 
@@ -54,10 +48,7 @@ test "the home timeline when the direct messages are excluded", %{conn: conn} do
       {:ok, private_activity} =
         CommonAPI.post(user, %{"status" => ".", "visibility" => "private"})
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> get("/api/v1/timelines/home", %{"exclude_visibilities" => ["direct"]})
+      conn = get(conn, "/api/v1/timelines/home", %{"exclude_visibilities" => ["direct"]})
 
       assert status_ids = json_response(conn, :ok) |> Enum.map(& &1["id"])
       assert public_activity.id in status_ids
@@ -99,11 +90,7 @@ test "the public timeline when public is set to false", %{conn: conn} do
     end
 
     test "the public timeline includes only public statuses for an authenticated user" do
-      user = insert(:user)
-
-      conn =
-        build_conn()
-        |> assign(:user, user)
+      %{user: user, conn: conn} = oauth_access(["read:statuses"])
 
       {:ok, _activity} = CommonAPI.post(user, %{"status" => "test"})
       {:ok, _activity} = CommonAPI.post(user, %{"status" => "test", "visibility" => "private"})
@@ -134,11 +121,13 @@ test "direct timeline", %{conn: conn} do
           "visibility" => "private"
         })
 
-      # Only direct should be visible here
-      res_conn =
+      conn_user_two =
         conn
         |> assign(:user, user_two)
-        |> get("api/v1/timelines/direct")
+        |> assign(:token, insert(:oauth_token, user: user_two, scopes: ["read:statuses"]))
+
+      # Only direct should be visible here
+      res_conn = get(conn_user_two, "api/v1/timelines/direct")
 
       [status] = json_response(res_conn, :ok)
 
@@ -149,6 +138,7 @@ test "direct timeline", %{conn: conn} do
       res_conn =
         build_conn()
         |> assign(:user, user_one)
+        |> assign(:token, insert(:oauth_token, user: user_one, scopes: ["read:statuses"]))
         |> get("api/v1/timelines/direct")
 
       [status] = json_response(res_conn, :ok)
@@ -156,10 +146,7 @@ test "direct timeline", %{conn: conn} do
       assert %{"visibility" => "direct"} = status
 
       # Both should be visible here
-      res_conn =
-        conn
-        |> assign(:user, user_two)
-        |> get("api/v1/timelines/home")
+      res_conn = get(conn_user_two, "api/v1/timelines/home")
 
       [_s1, _s2] = json_response(res_conn, :ok)
 
@@ -172,28 +159,23 @@ test "direct timeline", %{conn: conn} do
           })
       end)
 
-      res_conn =
-        conn
-        |> assign(:user, user_two)
-        |> get("api/v1/timelines/direct")
+      res_conn = get(conn_user_two, "api/v1/timelines/direct")
 
       statuses = json_response(res_conn, :ok)
       assert length(statuses) == 20
 
       res_conn =
-        conn
-        |> assign(:user, user_two)
-        |> get("api/v1/timelines/direct", %{max_id: List.last(statuses)["id"]})
+        get(conn_user_two, "api/v1/timelines/direct", %{max_id: List.last(statuses)["id"]})
 
       [status] = json_response(res_conn, :ok)
 
       assert status["url"] != direct.data["id"]
     end
 
-    test "doesn't include DMs from blocked users", %{conn: conn} do
-      blocker = insert(:user)
+    test "doesn't include DMs from blocked users" do
+      %{user: blocker, conn: conn} = oauth_access(["read:statuses"])
       blocked = insert(:user)
-      user = insert(:user)
+      other_user = insert(:user)
       {:ok, _user_relationship} = User.block(blocker, blocked)
 
       {:ok, _blocked_direct} =
@@ -203,15 +185,12 @@ test "doesn't include DMs from blocked users", %{conn: conn} do
         })
 
       {:ok, direct} =
-        CommonAPI.post(user, %{
+        CommonAPI.post(other_user, %{
           "status" => "Hi @#{blocker.nickname}!",
           "visibility" => "direct"
         })
 
-      res_conn =
-        conn
-        |> assign(:user, user)
-        |> get("api/v1/timelines/direct")
+      res_conn = get(conn, "api/v1/timelines/direct")
 
       [status] = json_response(res_conn, :ok)
       assert status["id"] == direct.id
@@ -219,26 +198,26 @@ test "doesn't include DMs from blocked users", %{conn: conn} do
   end
 
   describe "list" do
-    test "list timeline", %{conn: conn} do
-      user = insert(:user)
+    setup do: oauth_access(["read:lists"])
+
+    test "list timeline", %{user: user, conn: conn} do
       other_user = insert(:user)
       {:ok, _activity_one} = CommonAPI.post(user, %{"status" => "Marisa is cute."})
       {:ok, activity_two} = CommonAPI.post(other_user, %{"status" => "Marisa is cute."})
       {:ok, list} = Pleroma.List.create("name", user)
       {:ok, list} = Pleroma.List.follow(list, other_user)
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> get("/api/v1/timelines/list/#{list.id}")
+      conn = get(conn, "/api/v1/timelines/list/#{list.id}")
 
       assert [%{"id" => id}] = json_response(conn, :ok)
 
       assert id == to_string(activity_two.id)
     end
 
-    test "list timeline does not leak non-public statuses for unfollowed users", %{conn: conn} do
-      user = insert(:user)
+    test "list timeline does not leak non-public statuses for unfollowed users", %{
+      user: user,
+      conn: conn
+    } do
       other_user = insert(:user)
       {:ok, activity_one} = CommonAPI.post(other_user, %{"status" => "Marisa is cute."})
 
@@ -251,10 +230,7 @@ test "list timeline does not leak non-public statuses for unfollowed users", %{c
       {:ok, list} = Pleroma.List.create("name", user)
       {:ok, list} = Pleroma.List.follow(list, other_user)
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> get("/api/v1/timelines/list/#{list.id}")
+      conn = get(conn, "/api/v1/timelines/list/#{list.id}")
 
       assert [%{"id" => id}] = json_response(conn, :ok)
 
@@ -263,6 +239,8 @@ test "list timeline does not leak non-public statuses for unfollowed users", %{c
   end
 
   describe "hashtag" do
+    setup do: oauth_access(["n/a"])
+
     @tag capture_log: true
     test "hashtag timeline", %{conn: conn} do
       following = insert(:user)
diff --git a/test/web/mastodon_api/mastodon_api_controller_test.exs b/test/web/mastodon_api/mastodon_api_controller_test.exs
index 42a8779c0..c1f70f9fe 100644
--- a/test/web/mastodon_api/mastodon_api_controller_test.exs
+++ b/test/web/mastodon_api/mastodon_api_controller_test.exs
@@ -5,69 +5,9 @@
 defmodule Pleroma.Web.MastodonAPI.MastodonAPIControllerTest do
   use Pleroma.Web.ConnCase
 
-  alias Pleroma.Notification
-  alias Pleroma.Repo
-  alias Pleroma.Web.CommonAPI
-
-  import Pleroma.Factory
-  import Tesla.Mock
-
-  setup do
-    mock(fn env -> apply(HttpRequestMock, :request, [env]) end)
-    :ok
-  end
-
-  clear_config([:rich_media, :enabled])
-
-  test "unimplemented follow_requests, blocks, domain blocks" do
-    user = insert(:user)
-
-    ["blocks", "domain_blocks", "follow_requests"]
-    |> Enum.each(fn endpoint ->
-      conn =
-        build_conn()
-        |> assign(:user, user)
-        |> get("/api/v1/#{endpoint}")
-
-      assert [] = json_response(conn, 200)
-    end)
-  end
-
-  describe "link headers" do
-    test "preserves parameters in link headers", %{conn: conn} do
-      user = insert(:user)
-      other_user = insert(:user)
-
-      {:ok, activity1} =
-        CommonAPI.post(other_user, %{
-          "status" => "hi @#{user.nickname}",
-          "visibility" => "public"
-        })
-
-      {:ok, activity2} =
-        CommonAPI.post(other_user, %{
-          "status" => "hi @#{user.nickname}",
-          "visibility" => "public"
-        })
-
-      notification1 = Repo.get_by(Notification, activity_id: activity1.id)
-      notification2 = Repo.get_by(Notification, activity_id: activity2.id)
-
-      conn =
-        conn
-        |> assign(:user, user)
-        |> get("/api/v1/notifications", %{media_only: true})
-
-      assert [link_header] = get_resp_header(conn, "link")
-      assert link_header =~ ~r/media_only=true/
-      assert link_header =~ ~r/min_id=#{notification2.id}/
-      assert link_header =~ ~r/max_id=#{notification1.id}/
-    end
-  end
-
-  describe "empty_array, stubs for mastodon api" do
-    test "GET /api/v1/accounts/:id/identity_proofs", %{conn: conn} do
-      user = insert(:user)
+  describe "empty_array/2 (stubs)" do
+    test "GET /api/v1/accounts/:id/identity_proofs" do
+      %{user: user, conn: conn} = oauth_access(["n/a"])
 
       res =
         conn
@@ -78,12 +18,11 @@ test "GET /api/v1/accounts/:id/identity_proofs", %{conn: conn} do
       assert res == []
     end
 
-    test "GET /api/v1/endorsements", %{conn: conn} do
-      user = insert(:user)
+    test "GET /api/v1/endorsements" do
+      %{conn: conn} = oauth_access(["read:accounts"])
 
       res =
         conn
-        |> assign(:user, user)
         |> get("/api/v1/endorsements")
         |> json_response(200)
 
@@ -91,11 +30,8 @@ test "GET /api/v1/endorsements", %{conn: conn} do
     end
 
     test "GET /api/v1/trends", %{conn: conn} do
-      user = insert(:user)
-
       res =
         conn
-        |> assign(:user, user)
         |> get("/api/v1/trends")
         |> json_response(200)
 
diff --git a/test/web/pleroma_api/controllers/account_controller_test.exs b/test/web/pleroma_api/controllers/account_controller_test.exs
index c809f510f..d17026a6b 100644
--- a/test/web/pleroma_api/controllers/account_controller_test.exs
+++ b/test/web/pleroma_api/controllers/account_controller_test.exs
@@ -33,7 +33,6 @@ defmodule Pleroma.Web.PleromaAPI.AccountControllerTest do
 
     test "resend account confirmation email", %{conn: conn, user: user} do
       conn
-      |> assign(:user, user)
       |> post("/api/v1/pleroma/accounts/confirmation_resend?email=#{user.email}")
       |> json_response(:no_content)
 
@@ -52,14 +51,12 @@ test "resend account confirmation email", %{conn: conn, user: user} do
   end
 
   describe "PATCH /api/v1/pleroma/accounts/update_avatar" do
-    test "user avatar can be set", %{conn: conn} do
-      user = insert(:user)
+    setup do: oauth_access(["write:accounts"])
+
+    test "user avatar can be set", %{user: user, conn: conn} do
       avatar_image = File.read!("test/fixtures/avatar_data_uri")
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/pleroma/accounts/update_avatar", %{img: avatar_image})
+      conn = patch(conn, "/api/v1/pleroma/accounts/update_avatar", %{img: avatar_image})
 
       user = refresh_record(user)
 
@@ -78,13 +75,8 @@ test "user avatar can be set", %{conn: conn} do
       assert %{"url" => _} = json_response(conn, 200)
     end
 
-    test "user avatar can be reset", %{conn: conn} do
-      user = insert(:user)
-
-      conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/pleroma/accounts/update_avatar", %{img: ""})
+    test "user avatar can be reset", %{user: user, conn: conn} do
+      conn = patch(conn, "/api/v1/pleroma/accounts/update_avatar", %{img: ""})
 
       user = User.get_cached_by_id(user.id)
 
@@ -95,13 +87,10 @@ test "user avatar can be reset", %{conn: conn} do
   end
 
   describe "PATCH /api/v1/pleroma/accounts/update_banner" do
-    test "can set profile banner", %{conn: conn} do
-      user = insert(:user)
+    setup do: oauth_access(["write:accounts"])
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/pleroma/accounts/update_banner", %{"banner" => @image})
+    test "can set profile banner", %{user: user, conn: conn} do
+      conn = patch(conn, "/api/v1/pleroma/accounts/update_banner", %{"banner" => @image})
 
       user = refresh_record(user)
       assert user.banner["type"] == "Image"
@@ -109,13 +98,8 @@ test "can set profile banner", %{conn: conn} do
       assert %{"url" => _} = json_response(conn, 200)
     end
 
-    test "can reset profile banner", %{conn: conn} do
-      user = insert(:user)
-
-      conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/pleroma/accounts/update_banner", %{"banner" => ""})
+    test "can reset profile banner", %{user: user, conn: conn} do
+      conn = patch(conn, "/api/v1/pleroma/accounts/update_banner", %{"banner" => ""})
 
       user = refresh_record(user)
       assert user.banner == %{}
@@ -125,26 +109,18 @@ test "can reset profile banner", %{conn: conn} do
   end
 
   describe "PATCH /api/v1/pleroma/accounts/update_background" do
-    test "background image can be set", %{conn: conn} do
-      user = insert(:user)
+    setup do: oauth_access(["write:accounts"])
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/pleroma/accounts/update_background", %{"img" => @image})
+    test "background image can be set", %{user: user, conn: conn} do
+      conn = patch(conn, "/api/v1/pleroma/accounts/update_background", %{"img" => @image})
 
       user = refresh_record(user)
       assert user.background["type"] == "Image"
       assert %{"url" => _} = json_response(conn, 200)
     end
 
-    test "background image can be reset", %{conn: conn} do
-      user = insert(:user)
-
-      conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/pleroma/accounts/update_background", %{"img" => ""})
+    test "background image can be reset", %{user: user, conn: conn} do
+      conn = patch(conn, "/api/v1/pleroma/accounts/update_background", %{"img" => ""})
 
       user = refresh_record(user)
       assert user.background == %{}
@@ -155,12 +131,12 @@ test "background image can be reset", %{conn: conn} do
   describe "getting favorites timeline of specified user" do
     setup do
       [current_user, user] = insert_pair(:user, hide_favorites: false)
-      [current_user: current_user, user: user]
+      %{user: current_user, conn: conn} = oauth_access(["read:favourites"], user: current_user)
+      [current_user: current_user, user: user, conn: conn]
     end
 
     test "returns list of statuses favorited by specified user", %{
       conn: conn,
-      current_user: current_user,
       user: user
     } do
       [activity | _] = insert_pair(:note_activity)
@@ -168,7 +144,6 @@ test "returns list of statuses favorited by specified user", %{
 
       response =
         conn
-        |> assign(:user, current_user)
         |> get("/api/v1/pleroma/accounts/#{user.id}/favourites")
         |> json_response(:ok)
 
@@ -178,23 +153,18 @@ test "returns list of statuses favorited by specified user", %{
       assert like["id"] == activity.id
     end
 
-    test "returns favorites for specified user_id when user is not logged in", %{
-      conn: conn,
+    test "does not return favorites for specified user_id when user is not logged in", %{
       user: user
     } do
       activity = insert(:note_activity)
       CommonAPI.favorite(activity.id, user)
 
-      response =
-        conn
-        |> get("/api/v1/pleroma/accounts/#{user.id}/favourites")
-        |> json_response(:ok)
-
-      assert length(response) == 1
+      build_conn()
+      |> get("/api/v1/pleroma/accounts/#{user.id}/favourites")
+      |> json_response(403)
     end
 
     test "returns favorited DM only when user is logged in and he is one of recipients", %{
-      conn: conn,
       current_user: current_user,
       user: user
     } do
@@ -206,25 +176,24 @@ test "returns favorited DM only when user is logged in and he is one of recipien
 
       CommonAPI.favorite(direct.id, user)
 
-      response =
-        conn
-        |> assign(:user, current_user)
-        |> get("/api/v1/pleroma/accounts/#{user.id}/favourites")
-        |> json_response(:ok)
+      for u <- [user, current_user] do
+        response =
+          build_conn()
+          |> assign(:user, u)
+          |> assign(:token, insert(:oauth_token, user: u, scopes: ["read:favourites"]))
+          |> get("/api/v1/pleroma/accounts/#{user.id}/favourites")
+          |> json_response(:ok)
 
-      assert length(response) == 1
+        assert length(response) == 1
+      end
 
-      anonymous_response =
-        conn
-        |> get("/api/v1/pleroma/accounts/#{user.id}/favourites")
-        |> json_response(:ok)
-
-      assert Enum.empty?(anonymous_response)
+      build_conn()
+      |> get("/api/v1/pleroma/accounts/#{user.id}/favourites")
+      |> json_response(403)
     end
 
     test "does not return others' favorited DM when user is not one of recipients", %{
       conn: conn,
-      current_user: current_user,
       user: user
     } do
       user_two = insert(:user)
@@ -239,7 +208,6 @@ test "does not return others' favorited DM when user is not one of recipients",
 
       response =
         conn
-        |> assign(:user, current_user)
         |> get("/api/v1/pleroma/accounts/#{user.id}/favourites")
         |> json_response(:ok)
 
@@ -248,7 +216,6 @@ test "does not return others' favorited DM when user is not one of recipients",
 
     test "paginates favorites using since_id and max_id", %{
       conn: conn,
-      current_user: current_user,
       user: user
     } do
       activities = insert_list(10, :note_activity)
@@ -262,7 +229,6 @@ test "paginates favorites using since_id and max_id", %{
 
       response =
         conn
-        |> assign(:user, current_user)
         |> get("/api/v1/pleroma/accounts/#{user.id}/favourites", %{
           since_id: third_activity.id,
           max_id: seventh_activity.id
@@ -276,7 +242,6 @@ test "paginates favorites using since_id and max_id", %{
 
     test "limits favorites using limit parameter", %{
       conn: conn,
-      current_user: current_user,
       user: user
     } do
       7
@@ -287,7 +252,6 @@ test "limits favorites using limit parameter", %{
 
       response =
         conn
-        |> assign(:user, current_user)
         |> get("/api/v1/pleroma/accounts/#{user.id}/favourites", %{limit: "3"})
         |> json_response(:ok)
 
@@ -296,12 +260,10 @@ test "limits favorites using limit parameter", %{
 
     test "returns empty response when user does not have any favorited statuses", %{
       conn: conn,
-      current_user: current_user,
       user: user
     } do
       response =
         conn
-        |> assign(:user, current_user)
         |> get("/api/v1/pleroma/accounts/#{user.id}/favourites")
         |> json_response(:ok)
 
@@ -314,79 +276,61 @@ test "returns 404 error when specified user is not exist", %{conn: conn} do
       assert json_response(conn, 404) == %{"error" => "Record not found"}
     end
 
-    test "returns 403 error when user has hidden own favorites", %{
-      conn: conn,
-      current_user: current_user
-    } do
+    test "returns 403 error when user has hidden own favorites", %{conn: conn} do
       user = insert(:user, hide_favorites: true)
       activity = insert(:note_activity)
       CommonAPI.favorite(activity.id, user)
 
-      conn =
-        conn
-        |> assign(:user, current_user)
-        |> get("/api/v1/pleroma/accounts/#{user.id}/favourites")
+      conn = get(conn, "/api/v1/pleroma/accounts/#{user.id}/favourites")
 
       assert json_response(conn, 403) == %{"error" => "Can't get favorites"}
     end
 
-    test "hides favorites for new users by default", %{conn: conn, current_user: current_user} do
+    test "hides favorites for new users by default", %{conn: conn} do
       user = insert(:user)
       activity = insert(:note_activity)
       CommonAPI.favorite(activity.id, user)
 
-      conn =
-        conn
-        |> assign(:user, current_user)
-        |> get("/api/v1/pleroma/accounts/#{user.id}/favourites")
-
       assert user.hide_favorites
+      conn = get(conn, "/api/v1/pleroma/accounts/#{user.id}/favourites")
+
       assert json_response(conn, 403) == %{"error" => "Can't get favorites"}
     end
   end
 
   describe "subscribing / unsubscribing" do
-    test "subscribing / unsubscribing to a user", %{conn: conn} do
-      user = insert(:user)
+    test "subscribing / unsubscribing to a user" do
+      %{user: user, conn: conn} = oauth_access(["follow"])
       subscription_target = insert(:user)
 
-      conn =
+      ret_conn =
         conn
         |> assign(:user, user)
         |> post("/api/v1/pleroma/accounts/#{subscription_target.id}/subscribe")
 
-      assert %{"id" => _id, "subscribing" => true} = json_response(conn, 200)
+      assert %{"id" => _id, "subscribing" => true} = json_response(ret_conn, 200)
 
-      conn =
-        build_conn()
-        |> assign(:user, user)
-        |> post("/api/v1/pleroma/accounts/#{subscription_target.id}/unsubscribe")
+      conn = post(conn, "/api/v1/pleroma/accounts/#{subscription_target.id}/unsubscribe")
 
       assert %{"id" => _id, "subscribing" => false} = json_response(conn, 200)
     end
   end
 
   describe "subscribing" do
-    test "returns 404 when subscription_target not found", %{conn: conn} do
-      user = insert(:user)
+    test "returns 404 when subscription_target not found" do
+      %{conn: conn} = oauth_access(["write:follows"])
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/pleroma/accounts/target_id/subscribe")
+      conn = post(conn, "/api/v1/pleroma/accounts/target_id/subscribe")
 
       assert %{"error" => "Record not found"} = json_response(conn, 404)
     end
   end
 
   describe "unsubscribing" do
-    test "returns 404 when subscription_target not found", %{conn: conn} do
-      user = insert(:user)
+    test "returns 404 when subscription_target not found" do
+      %{conn: conn} = oauth_access(["follow"])
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/pleroma/accounts/target_id/unsubscribe")
+      conn = post(conn, "/api/v1/pleroma/accounts/target_id/unsubscribe")
 
       assert %{"error" => "Record not found"} = json_response(conn, 404)
     end
diff --git a/test/web/pleroma_api/controllers/emoji_api_controller_test.exs b/test/web/pleroma_api/controllers/emoji_api_controller_test.exs
index 3d3becefd..e1b484dae 100644
--- a/test/web/pleroma_api/controllers/emoji_api_controller_test.exs
+++ b/test/web/pleroma_api/controllers/emoji_api_controller_test.exs
@@ -39,9 +39,12 @@ test "shared & non-shared pack information in list_packs is ok" do
 
   test "listing remote packs" do
     admin = insert(:user, is_admin: true)
-    conn = build_conn() |> assign(:user, admin)
+    %{conn: conn} = oauth_access(["admin:write"], user: admin)
 
-    resp = conn |> get(emoji_api_path(conn, :list_packs)) |> json_response(200)
+    resp =
+      build_conn()
+      |> get(emoji_api_path(conn, :list_packs))
+      |> json_response(200)
 
     mock(fn
       %{method: :get, url: "https://example.com/.well-known/nodeinfo"} ->
@@ -123,7 +126,10 @@ test "downloading shared & unshared packs from another instance via download_fro
 
     admin = insert(:user, is_admin: true)
 
-    conn = build_conn() |> assign(:user, admin)
+    conn =
+      build_conn()
+      |> assign(:user, admin)
+      |> assign(:token, insert(:oauth_admin_token, user: admin, scopes: ["admin:write"]))
 
     assert (conn
             |> put_req_header("content-type", "application/json")
@@ -168,8 +174,6 @@ test "downloading shared & unshared packs from another instance via download_fro
 
     # non-shared, downloaded from the fallback URL
 
-    conn = build_conn() |> assign(:user, admin)
-
     assert conn
            |> put_req_header("content-type", "application/json")
            |> post(
@@ -205,8 +209,12 @@ test "downloading shared & unshared packs from another instance via download_fro
         File.write!(pack_file, original_content)
       end)
 
+      admin = insert(:user, is_admin: true)
+      %{conn: conn} = oauth_access(["admin:write"], user: admin)
+
       {:ok,
-       admin: insert(:user, is_admin: true),
+       admin: admin,
+       conn: conn,
        pack_file: pack_file,
        new_data: %{
          "license" => "Test license changed",
@@ -217,10 +225,9 @@ test "downloading shared & unshared packs from another instance via download_fro
     end
 
     test "for a pack without a fallback source", ctx do
-      conn = build_conn()
+      conn = ctx[:conn]
 
       assert conn
-             |> assign(:user, ctx[:admin])
              |> post(
                emoji_api_path(conn, :update_metadata, "test_pack"),
                %{
@@ -250,10 +257,9 @@ test "for a pack with a fallback source", ctx do
           "74409E2674DAA06C072729C6C8426C4CB3B7E0B85ED77792DB7A436E11D76DAF"
         )
 
-      conn = build_conn()
+      conn = ctx[:conn]
 
       assert conn
-             |> assign(:user, ctx[:admin])
              |> post(
                emoji_api_path(conn, :update_metadata, "test_pack"),
                %{
@@ -277,10 +283,9 @@ test "when the fallback source doesn't have all the files", ctx do
 
       new_data = Map.put(ctx[:new_data], "fallback-src", "https://nonshared-pack")
 
-      conn = build_conn()
+      conn = ctx[:conn]
 
       assert (conn
-              |> assign(:user, ctx[:admin])
               |> post(
                 emoji_api_path(conn, :update_metadata, "test_pack"),
                 %{
@@ -304,8 +309,7 @@ test "updating pack files" do
     end)
 
     admin = insert(:user, is_admin: true)
-
-    conn = build_conn()
+    %{conn: conn} = oauth_access(["admin:write"], user: admin)
 
     same_name = %{
       "action" => "add",
@@ -319,8 +323,6 @@ test "updating pack files" do
 
     different_name = %{same_name | "shortcode" => "blank_2"}
 
-    conn = conn |> assign(:user, admin)
-
     assert (conn
             |> post(emoji_api_path(conn, :update_file, "test_pack"), same_name)
             |> json_response(:conflict))["error"] =~ "already exists"
@@ -392,8 +394,7 @@ test "creating and deleting a pack" do
     end)
 
     admin = insert(:user, is_admin: true)
-
-    conn = build_conn() |> assign(:user, admin)
+    %{conn: conn} = oauth_access(["admin:write"], user: admin)
 
     assert conn
            |> put_req_header("content-type", "application/json")
@@ -432,9 +433,9 @@ test "filesystem import" do
     refute Map.has_key?(resp, "test_pack_for_import")
 
     admin = insert(:user, is_admin: true)
+    %{conn: conn} = oauth_access(["admin:write"], user: admin)
 
     assert conn
-           |> assign(:user, admin)
            |> post(emoji_api_path(conn, :import_from_fs))
            |> json_response(200) == ["test_pack_for_import"]
 
@@ -449,11 +450,10 @@ test "filesystem import" do
     File.write!("#{@emoji_dir_path}/test_pack_for_import/emoji.txt", emoji_txt_content)
 
     assert conn
-           |> assign(:user, admin)
            |> post(emoji_api_path(conn, :import_from_fs))
            |> json_response(200) == ["test_pack_for_import"]
 
-    resp = conn |> get(emoji_api_path(conn, :list_packs)) |> json_response(200)
+    resp = build_conn() |> get(emoji_api_path(conn, :list_packs)) |> json_response(200)
 
     assert resp["test_pack_for_import"]["files"] == %{
              "blank" => "blank.png",
diff --git a/test/web/pleroma_api/controllers/mascot_controller_test.exs b/test/web/pleroma_api/controllers/mascot_controller_test.exs
index ae9539b04..40c33e609 100644
--- a/test/web/pleroma_api/controllers/mascot_controller_test.exs
+++ b/test/web/pleroma_api/controllers/mascot_controller_test.exs
@@ -7,10 +7,8 @@ defmodule Pleroma.Web.PleromaAPI.MascotControllerTest do
 
   alias Pleroma.User
 
-  import Pleroma.Factory
-
-  test "mascot upload", %{conn: conn} do
-    user = insert(:user)
+  test "mascot upload" do
+    %{conn: conn} = oauth_access(["write:accounts"])
 
     non_image_file = %Plug.Upload{
       content_type: "audio/mpeg",
@@ -18,12 +16,9 @@ test "mascot upload", %{conn: conn} do
       filename: "sound.mp3"
     }
 
-    conn =
-      conn
-      |> assign(:user, user)
-      |> put("/api/v1/pleroma/mascot", %{"file" => non_image_file})
+    ret_conn = put(conn, "/api/v1/pleroma/mascot", %{"file" => non_image_file})
 
-    assert json_response(conn, 415)
+    assert json_response(ret_conn, 415)
 
     file = %Plug.Upload{
       content_type: "image/jpg",
@@ -31,23 +26,18 @@ test "mascot upload", %{conn: conn} do
       filename: "an_image.jpg"
     }
 
-    conn =
-      build_conn()
-      |> assign(:user, user)
-      |> put("/api/v1/pleroma/mascot", %{"file" => file})
+    conn = put(conn, "/api/v1/pleroma/mascot", %{"file" => file})
 
     assert %{"id" => _, "type" => image} = json_response(conn, 200)
   end
 
-  test "mascot retrieving", %{conn: conn} do
-    user = insert(:user)
-    # When user hasn't set a mascot, we should just get pleroma tan back
-    conn =
-      conn
-      |> assign(:user, user)
-      |> get("/api/v1/pleroma/mascot")
+  test "mascot retrieving" do
+    %{user: user, conn: conn} = oauth_access(["read:accounts", "write:accounts"])
 
-    assert %{"url" => url} = json_response(conn, 200)
+    # When user hasn't set a mascot, we should just get pleroma tan back
+    ret_conn = get(conn, "/api/v1/pleroma/mascot")
+
+    assert %{"url" => url} = json_response(ret_conn, 200)
     assert url =~ "pleroma-fox-tan-smol"
 
     # When a user sets their mascot, we should get that back
@@ -57,17 +47,14 @@ test "mascot retrieving", %{conn: conn} do
       filename: "an_image.jpg"
     }
 
-    conn =
-      build_conn()
-      |> assign(:user, user)
-      |> put("/api/v1/pleroma/mascot", %{"file" => file})
+    ret_conn = put(conn, "/api/v1/pleroma/mascot", %{"file" => file})
 
-    assert json_response(conn, 200)
+    assert json_response(ret_conn, 200)
 
     user = User.get_cached_by_id(user.id)
 
     conn =
-      build_conn()
+      conn
       |> assign(:user, user)
       |> get("/api/v1/pleroma/mascot")
 
diff --git a/test/web/pleroma_api/controllers/scrobble_controller_test.exs b/test/web/pleroma_api/controllers/scrobble_controller_test.exs
index 881f8012c..2242610f1 100644
--- a/test/web/pleroma_api/controllers/scrobble_controller_test.exs
+++ b/test/web/pleroma_api/controllers/scrobble_controller_test.exs
@@ -6,16 +6,13 @@ defmodule Pleroma.Web.PleromaAPI.ScrobbleControllerTest do
   use Pleroma.Web.ConnCase
 
   alias Pleroma.Web.CommonAPI
-  import Pleroma.Factory
 
   describe "POST /api/v1/pleroma/scrobble" do
-    test "works correctly", %{conn: conn} do
-      user = insert(:user)
+    test "works correctly" do
+      %{conn: conn} = oauth_access(["write"])
 
       conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/pleroma/scrobble", %{
+        post(conn, "/api/v1/pleroma/scrobble", %{
           "title" => "lain radio episode 1",
           "artist" => "lain",
           "album" => "lain radio",
@@ -27,8 +24,8 @@ test "works correctly", %{conn: conn} do
   end
 
   describe "GET /api/v1/pleroma/accounts/:id/scrobbles" do
-    test "works correctly", %{conn: conn} do
-      user = insert(:user)
+    test "works correctly" do
+      %{user: user, conn: conn} = oauth_access(["read"])
 
       {:ok, _activity} =
         CommonAPI.listen(user, %{
@@ -51,9 +48,7 @@ test "works correctly", %{conn: conn} do
           "album" => "lain radio"
         })
 
-      conn =
-        conn
-        |> get("/api/v1/pleroma/accounts/#{user.id}/scrobbles")
+      conn = get(conn, "/api/v1/pleroma/accounts/#{user.id}/scrobbles")
 
       result = json_response(conn, 200)