diff --git a/drywall/api.py b/drywall/api.py
index 252c444..b7821c7 100644
--- a/drywall/api.py
+++ b/drywall/api.py
@@ -7,7 +7,9 @@
 from drywall import pings
 from drywall import app
 from drywall import config
-from drywall import auth # noqa: F401
+from drywall import auth  # noqa: F401
+from drywall import auth_oauth  # noqa: F401
+from drywall import web  # noqa: F401
 
 import simplejson as json
 from flask import Response, request
@@ -118,18 +120,27 @@ def api_post_conference_child(conference_id, object_type, object_data):
 	"""
 	if not object_data:
 		return pings.response_from_error(2)
+
+	# Check if the conference exists before doing anything else
+	if not db.get_object_as_dict_by_id(conference_id):
+		return pings.response_from_error(4)
+
 	data = object_data.copy()
 	if object_data['object_type'] == "invite":
 		data['conference_id'] = conference_id
 	else:
 		data['parent_conference'] = conference_id
-	return api_post(object_data, object_type=object_type)
+	return api_post(data, object_type=object_type)
 
 def api_get_patch_delete_conference_child(conference_id, object_type, object_id):
 	"""
 	Template for GET/PATCH/DELETE actions on conference members, invites, roles
 	etc.
 	"""
+	# Check if the conference exists before doing anything else
+	if not db.id_taken(conference_id):
+		return pings.response_from_error(4)
+
 	try:
 		object_get = api_get(object_id, object_type=object_type)
 		object_get_id = object_get['id']
@@ -149,12 +160,27 @@ def api_get_patch_delete_conference_child(conference_id, object_type, object_id)
 
 def api_report(report_dict, object_id, object_type=None):
 	"""Template for /api/v1/<type>/<id>/report endpoints."""
-	api_get(object_id, object_type=object_type)
+	try:
+		object_get = api_get(object_id, object_type=object_type)
+		object_get_id = object_get['id']
+	except:
+		return object_get
 
-	new_report_dict = {"target": object_id}
-	if 'note' in report_dict:
+	new_report_dict = {
+		"object_type": "report", "target": object_get_id,
+		"submission_date": 'dummy' # this gets replaced when the object is created
+	}
+
+	if report_dict and 'note' in report_dict:
 		new_report_dict['note'] = report_dict['note']
-	report = objects.make_object_from_dict(new_report_dict)
+
+	try:
+		report = objects.make_object_from_dict(new_report_dict)
+	except TypeError as e:
+		return pings.response_from_error(10, error_message=e)
+		# TODO: differentiate between the possible typeerrors
+	except KeyError as e:
+		return pings.response_from_error(7, error_message=e)
 
 	db.add_object(report)
 	return Response(json.dumps(report.__dict__), status=201, mimetype='application/json')
@@ -163,6 +189,8 @@ def api_report_conference_child(conference_id, report_dict, object_id, object_ty
 	"""
 	Template for POST /api/v1/conference/<conference_id>/<object_type> APIs
 	"""
+	if not db.get_object_as_dict_by_id(conference_id):
+		return pings.response_from_error(4)
 	try:
 		object_get = api_get(object_id, object_type=object_type)
 		object_get['id']
@@ -231,9 +259,6 @@ def api_stash_request():
 
 	return stash
 
-# TODO: Federation, authentication, clients
-# Probably will be in separate files, but I'll note it down here for now
-
 # Accounts
 
 @app.route('/api/v1/accounts', methods=['POST'])
diff --git a/drywall/auth.py b/drywall/auth.py
index 67fb9f8..48c7f08 100644
--- a/drywall/auth.py
+++ b/drywall/auth.py
@@ -1,132 +1,303 @@
 # encoding: utf-8
 """
-Contains code for authentication and OAuth2 support.
+Contains code for user authentication.
+
+OAuth2-related code can be found in the auth_oauth submodule.
 """
+from drywall.auth_models import User
 from drywall import app
 from drywall import db
 from drywall import objects
-from drywall import utils
 
 from flask import render_template, flash, request, redirect, session, url_for
 from email_validator import validate_email, EmailNotValidError
-from uuid import uuid4 # For client IDs
-from secrets import token_hex # For client secrets
-# We're using these functions for now; if anyone has any suggestions for
-# whether this is secure or not, see issue #3
+import re
+from sqlalchemy.exc import NoResultFound
+from sqlalchemy.orm import Session
 from werkzeug.security import check_password_hash
 from werkzeug.security import generate_password_hash
 
-##########
-# OAuth2 #
-##########
-
-class Client:
-	"""Contains information about OAuth2 clients."""
-	client_keys = ['client_id', 'client_secret', 'name', 'description',
-	               'scopes', 'owner', 'type', 'account_id']
-
-def create_client(client_dict):
-	"""Creates a client from a basic client dict."""
-	client_dict['client_id'] = str(uuid4())
-	client_dict['client_secret'] = token_hex(16)
-	if client_dict['type'] == "bot":
-		account_proto_dict = {"type": "object", "object_type": "account",
-		                 "username": client_dict["name"]}
-		account_object = objects.Account(account_proto_dict)
-		account_dict = db.add_object(account_object)
-		client_dict['account_id'] = account_dict['id']
-	return db.add_client(utils.validate_dict(client_dict, Client.client_keys))
-
-def edit_client(client_id, client_dict):
-	"""Creates a client from a basic client dict."""
-	if client_dict['type'] == "bot":
-		print(client_dict)
-		account_dict = db.get_object_as_dict_by_id(client_dict["account_id"])
-		if not account_dict:
-			raise KeyError
-		account_dict["username"] = client_dict["name"]
-		account_dict = db.push_object(client_dict["account_id"], objects.Account(account_dict, force_id=client_dict["account_id"]))
-	return db.update_client(client_id, utils.validate_dict(client_dict, Client.client_keys))
-
-
-#################
-# User accounts #
-#################
+# Helper functions
+
+def can_account_access(account_id, object):
+	"""
+	Takes an account ID and an object dict and checks if the provided object
+	can be accessed by the provided account.
+
+	Note that this function uses Account object IDs, not user IDs.
+	"""
+	if not object:
+		return False
+
+	object_type = object['object_type']
+
+	if object_type == 'message':
+		return can_account_access(account_id, db.get_object_as_dict_by_id(object['parent_channel']))
+
+	elif object_type == 'channel':
+		channel_type = object['channel_type']
+		if channel_type == 'text' or channel_type == 'media':
+			if can_account_access(account_id, db.get_object_dict_by_id(object['parent_conference'])):
+				return True
+			return False
+		elif channel_type == 'direct_message':
+			if account_id in object['members']:
+				return True
+			else:
+				return False
+
+	elif object_type == 'conference':
+		conference_member = db.get_object_by_key_dict_value("conference_member", {"account_id": account_id})
+		if not conference_member:
+			return False
+
+		if conference_member in object['members']:
+			return True
+		else:
+			return False
+
+	elif object_type in ['conference_member', 'role']:
+		return can_account_access(account_id, db.get_object_dict_by_id(object['parent_conference']))
+
+	elif object_type == 'report':
+		if object['creator'] == account_id:
+			return True
+		elif is_account_admin(account_id):
+			return True
+		return False
+
+	elif object_type in ['instance', 'account', 'invite', 'emoji']:
+		return True
+
+def is_account_admin(account_id):
+	"""
+	Gets a user by the provided account ID and checks if the user is an admin
+	on the local instance. Returns True or False.
+	"""
+	with Session(db.engine) as db_session:
+		try:
+			user = db_session.query(User).filter(User.account_id == account_id).one()
+		except NoResultFound:
+			return False
+		return user.is_admin
+
+def login(user):
+	"""
+	Takes a dict created from a User object and logs in as the provided user.
+	"""
+	session.clear()
+	session["user_id"] = user['id']
+	session["account_id"] = user['account_id']
+
+# User management functions
+
+def current_user():
+	"""Returns the logged-in user. Returns None if not logged in."""
+	with Session(db.engine) as db_session:
+		if 'user_id' in session:
+			uid = session['user_id']
+			return db_session.query(User).get(uid)
+		return None
+
+def username_valid(username):
+	"""
+	Validates an username. Returns True if the provided username is valid,
+	False otherwise.
+	"""
+	if not username:
+		return False
+	if re.match(r'^[A-Za-z0-9_-]+$', username) and username.isascii():
+		return True
+	return False
+
+def get_user_by_id(user_id):
+	"""
+	Gets a user by the provided user ID. Returns a dict with the user's
+	values.
+	"""
+	with Session(db.engine) as db_session:
+		try:
+			user = db_session.query(User).get(user_id)
+		except NoResultFound:
+			return None
+		return user.to_dict()
+
+def get_user_by_account_id(account_id):
+	"""
+	Gets a user by the provided account ID. Returns a dict with the user's
+	values.
+	"""
+	with Session(db.engine) as db_session:
+		try:
+			user = db_session.query(User).filter(User.account_id == account_id).one()
+		except NoResultFound:
+			return None
+		return user.to_dict()
+
+def get_user_by_email(email):
+	"""
+	Returns a dict created from the User object with the provided e-mail
+	address.
+
+	If not found, returns None.
+	"""
+	with Session(db.engine) as db_session:
+		try:
+			user = db_session.query(User).filter(User.email == email).one()
+		except NoResultFound:
+			return None
+		return user.to_dict()
+
+def user_value_validation(username, email):
+	"""
+	Does some basic validation on the provided user values.
+	Returns the validated e-mail address, for convenience.
+	"""
+	if username:
+		if db.get_object_by_key_value_pair("account", {"username": username}):
+			raise ValueError("Username taken.")
+		if not username_valid(username):
+			raise ValueError("Invalid username. Your username can only contain alphanumeric characters, and the special characters '-' and '_'.")
+	if email:
+		if get_user_by_email(email):
+			raise ValueError("E-mail already in use.")
+		try:
+			return validate_email(email).email
+		except EmailNotValidError:
+			raise ValueError("Provided e-mail is invalid.")
 
 def register_user(username, email, password):
 	"""
-	Registers a new user. Returns the Account object for the newly created
-	user.
+	Registers a new user. Returns a dict with the values of the
+	resulting User object.
 
 	Raises a ValueError if the username or email is already taken.
 	"""
-	# Do some basic validation
-	if db.get_object_by_key_value_pair("account", {"username": username}):
-		raise ValueError("Username taken.")
-	if db.get_user_by_email(email):
-		raise ValueError("E-mail already in use.")
+	# user_value_validation returns the valid e-mail, for convenience's sake
+	valid_email = user_value_validation(username, email)
+
 	# Create an Account object for the user
 	account_object = {"type": "object", "object_type": "account",
-	                   "username": username, "icon": "stub", "email": email}
+						"username": username, "icon": "stub",
+						"email": valid_email}
 	account_object_valid = objects.make_object_from_dict(account_object)
 	added_object = db.add_object(account_object_valid)
 	account_id = added_object['id']
+
 	# Add the user to the user database
-	user_dict = {"username": username, "account_id": account_id, "email": email,
-	              "password": generate_password_hash(password)}
-	db.add_user(user_dict)
+	new_user = User(username=username, account_id=account_id,
+				email=valid_email, password=generate_password_hash(password))
 
-@app.route('/auth/sign_up', methods=["GET", "POST"])
-def auth_signup():
-	"""Sign-up page."""
+	with Session(db.engine) as db_session:
+		db_session.add(new_user)
+		db_session.commit()
+		return new_user.to_dict()
+
+
+def edit_user(user_id, _edit_dict):
+	"""
+	Edits a user using the values provided in the edit dict, which contains:
+
+	- username
+	- email
+	- account_id
+	"""
+	user_dict = get_user_by_id(user_id)
+
+	edit_dict = {}
+	for key in ['username', 'email', 'account_id']:
+		edit_dict[key] = _edit_dict[key]
+
+	username = None
+	if 'username' in edit_dict and edit_dict['username'] != user_dict['username']:
+		username = edit_dict['username']
+	email = None
+	if 'email' in edit_dict and edit_dict['email'] != user_dict['email']:
+		email = edit_dict['email']
+	if not username and not email:
+		return
+
+	account_id = edit_dict['account_id']
+	account_dict = db.get_object_as_dict_by_id(account_id)
+
+	# user_value_validation returns the valid e-mail, for convenience's sake
+	valid_email = user_value_validation(username, email)
+
+	if username:
+		account_dict['username'] = username,
+		user_dict['username'] = account_dict['username']
+	if email:
+		account_dict['email'] = valid_email
+		user_dict['email'] = valid_email
+
+	try:
+		new_account = objects.make_object_from_dict(account_dict, extend=account_id)
+		db.push_object(account_id, new_account)
+		del edit_dict['account_id']
+
+		with Session(db.engine) as db_session:
+			new_user = db_session.query(User).get(user_id)
+			for key, value in edit_dict.items():
+				setattr(new_user, key, value)
+			db_session.commit()
+
+	except (KeyError, ValueError, TypeError) as e:
+		raise e
+
+	return user_dict
+
+# Pages
+
+@app.route('/auth/login', methods=["GET", "POST"])
+def auth_login():
+	"""Login page."""
 	if request.method == "POST":
-		username = request.form["username"]
 		email = request.form["email"]
 		password = request.form["password"]
 		try:
 			valid_email = validate_email(email).email
-			register_user(username, valid_email, password)
+			user = get_user_by_email(valid_email)
+			if not user:
+				raise ValueError("User with provided email does not exist.")
+			with Session(db.engine):
+				if not check_password_hash(user.password, password):
+					raise ValueError("Invalid password.")
 		except (ValueError, EmailNotValidError) as e:
 			flash(str(e))
 		else:
-			session.clear()
-			user = db.get_user_by_email(valid_email)
-			session["user_id"] = user["account_id"]
+			login(user)
 			return redirect(url_for("client_page"))
 
+	if "user_id" in session:
+		return redirect(url_for("client_page"))
 	instance = db.get_object_as_dict_by_id("0")
-	return render_template("auth/sign_up.html",
-	                       instance_name=instance["name"],
-	                       instance_description=instance["description"],
-	                       instance_domain=instance["address"])
+	return render_template("auth/login.html",
+							instance_name=instance["name"],
+							instance_description=instance["description"],
+							instance_domain=instance["address"])
 
-@app.route('/auth/login', methods=["GET", "POST"])
-def auth_login():
-	"""Login page."""
+@app.route('/auth/sign_up', methods=["GET", "POST"])
+def auth_signup():
+	"""Sign-up page."""
 	if request.method == "POST":
+		username = request.form["username"]
 		email = request.form["email"]
 		password = request.form["password"]
 		try:
 			valid_email = validate_email(email).email
-			user = db.get_user_by_email(valid_email)
-			if not user:
-				raise ValueError("User with provided email does not exist.")
-			if not check_password_hash(user['password'], password):
-				raise ValueError("Invalid password.")
+			register_user(username, email, password)
 		except (ValueError, EmailNotValidError) as e:
 			flash(str(e))
 		else:
-			session.clear()
-			session["user_id"] = user["account_id"]
+			user = get_user_by_email(valid_email)
+			login(user)
 			return redirect(url_for("client_page"))
 
-	if "user_id" in session:
-		return redirect(url_for("client_page"))
 	instance = db.get_object_as_dict_by_id("0")
-	return render_template("auth/login.html",
-	                       instance_name=instance["name"],
-	                       instance_description=instance["description"],
-	                       instance_domain=instance["address"])
+	return render_template("auth/sign_up.html",
+							instance_name=instance["name"],
+							instance_description=instance["description"],
+							instance_domain=instance["address"])
 
 @app.route('/auth/logout', methods=["GET", "POST"])
 def auth_logout():
diff --git a/drywall/auth_models.py b/drywall/auth_models.py
new file mode 100644
index 0000000..d7d4735
--- /dev/null
+++ b/drywall/auth_models.py
@@ -0,0 +1,245 @@
+# coding: utf-8
+"""
+Contains SQLAlchemy models for authentication.
+"""
+from drywall import db_models
+from drywall.db_models import Base
+
+from authlib.common.encoding import json_loads, json_dumps
+from authlib.oauth2.rfc6749 import ClientMixin, TokenMixin, AuthorizationCodeMixin
+# FIXME: these functions appear to be missing, fix this once AuthLib 1.0 is out
+# from authlib.oauth2.rfc6749 import scope_to_list, list_to_scope
+from authlib.common.encoding import to_unicode
+import time
+from sqlalchemy import Column, ForeignKey, Integer, String, Text, Boolean
+from sqlalchemy.orm import relationship
+from sqlalchemy_serializer import SerializerMixin
+
+class ClientSerializerMixin(SerializerMixin):
+	"""
+	Special serializer mixin for Client objects, which handles
+	the client_metadata variable.
+	"""
+	def to_dict(self, **kwargs):
+		serialized_dict = super().to_dict(**kwargs)
+		serialized_dict['client_metadata'] = self.client_metadata
+		del serialized_dict['_client_metadata']
+		return serialized_dict
+
+class User(Base, SerializerMixin):
+	"""
+	Contains information about a registered user.
+	Not to be confused with Account objects.
+	"""
+	__tablename__ = 'users'
+	id = Column(Integer, primary_key=True) # Integer, to differentiate from account IDs
+	account_id = Column(String(255), ForeignKey('account.id'), nullable=False)
+	account = relationship(db_models.Account)
+	username = Column(String(255))
+	email = Column(String(255))
+	password = Column(Text)
+	is_admin = Column(Boolean, default=False, nullable=False)
+
+	def get_user_id(self):
+		return self.id
+
+class Client(Base, ClientMixin, ClientSerializerMixin):
+	"""Authlib-compatible Client model"""
+	__tablename__ = 'clients'
+	client_id = Column(String(48), index=True, primary_key=True) # in uuid4 format
+	client_secret = Column(String(120))
+	client_id_issued_at = Column(Integer, nullable=False, default=0)
+	client_secret_expires_at = Column(Integer, nullable=False, default=0)
+	_client_metadata = Column('client_metadata', Text)
+
+	client_type = Column(String(255), nullable=False)
+
+	owner_id = Column(Integer, ForeignKey('users.id', ondelete='CASCADE'))
+	owner = relationship('User')
+
+	bot_account_id = Column(String(255), ForeignKey('account.id', ondelete='CASCADE'))
+	bot_account = relationship('db_models.Account')
+
+	# -*-*- AuthLib stuff begins here -*-*-
+	def get_client_id(self):
+		return self.client_id
+
+	def get_default_redirect_uri(self):
+		return self.client_metadata['client_uri']
+
+	def get_allowed_scope(self, scope):
+		if not scope:
+			return ''
+		allowed = set(self.scope.split())
+		scopes = scope_to_list(scope)
+		return list_to_scope([s for s in scopes if s in allowed])
+
+	def check_redirect_uri(self, redirect_uri):
+		return redirect_uri in self.redirect_uris
+
+	def has_client_secret(self):
+		return bool(self.client_secret)
+
+	def check_client_secret(self, client_secret):
+		return self.client_secret == client_secret
+
+	def check_endpoint_auth_method(self, method, endpoint):
+		if endpoint == 'token':
+			return self.token_endpoint_auth_method == method
+		return True
+
+	def check_response_type(self, response_type):
+		return response_type in self.response_types
+
+	def check_grant_type(self, grant_type):
+		return grant_type in self.grant_types
+
+	@property
+	def client_info(self):
+		"""Implementation for Client Info in OAuth 2.0 Dynamic Client
+		Registration Protocol via `Section 3.2.1`_.
+		.. _`Section 3.2.1`: https://tools.ietf.org/html/rfc7591#section-3.2.1
+		"""
+		return dict(
+			client_id=self.client_id,
+			client_secret=self.client_secret,
+			client_id_issued_at=self.client_id_issued_at,
+			client_secret_expires_at=self.client_secret_expires_at,
+		)
+
+	@property
+	def client_metadata(self):
+		if 'client_metadata' in self.__dict__:
+			return self.__dict__['client_metadata']
+		if self._client_metadata:
+			data = json_loads(self._client_metadata)
+			self.__dict__['client_metadata'] = data
+			return data
+		return {}
+
+	def set_client_metadata(self, value):
+		self._client_metadata = json_dumps(value)
+
+	@property
+	def grant_types(self):
+		return self.client_metadata.get('grant_types', [])
+
+	@property
+	def response_types(self):
+		return self.client_metadata.get('response_types', [])
+
+	@property
+	def client_name(self):
+		return self.client_metadata.get('client_name')
+
+	@property
+	def client_uri(self):
+		return self.client_metadata.get('client_uri')
+
+	@property
+	def logo_uri(self):
+		return self.client_metadata.get('logo_uri')
+
+	@property
+	def scope(self):
+		return self.client_metadata.get('scope', '')
+
+class Token(Base, TokenMixin):
+	"""Authlib-compatible Token model"""
+	__tablename__ = 'tokens'
+	id = Column(String(255), primary_key=True) # In uuid4 format
+
+	user_id = Column(Integer, ForeignKey('users.id', ondelete='CASCADE'))
+	account_id = Column(String, ForeignKey('account.id', ondelete='CASCADE'))
+
+	client_id = Column(String(48))
+	token_type = Column(String(40))
+	access_token = Column(String(255), unique=True, nullable=False)
+	refresh_token = Column(String(255), index=True)
+	scope = Column(Text, default='')
+	issued_at = Column(
+		Integer, nullable=False, default=lambda: int(time.time())
+	)
+	access_token_revoked_at = Column(Integer, nullable=False, default=0)
+	refresh_token_revoked_at = Column(Integer, nullable=False, default=0)
+	expires_in = Column(Integer, nullable=False, default=0)
+
+	def check_client(self, client):
+		return self.client_id == client.get_client_id()
+
+	def get_scope(self):
+		return self.scope
+
+	def get_expires_in(self):
+		return self.expires_in
+
+	def is_revoked(self):
+		return self.access_token_revoked_at or self.refresh_token_revoked_at
+
+	def is_expired(self):
+		if not self.expires_in:
+			return False
+
+		expires_at = self.issued_at + self.expires_in
+		return expires_at < time.time()
+
+	def is_refresh_token_valid(self):
+		if self.is_expired() or self.is_revoked():
+			return False
+		return True
+
+# FIXME: This should ideally be stored in a cache like Redis. Caching is
+#        veeeery far on our TODO list though, so we've got time.
+class AuthorizationCode(Base, AuthorizationCodeMixin):
+	__tablename__ = 'authcodes'
+	id = Column(Integer, primary_key=True)
+
+	code = Column(String(120), unique=True, nullable=False)
+	client_id = Column(String(48))
+	redirect_uri = Column(Text, default='')
+	response_type = Column(Text, default='')
+	scope = Column(Text, default='')
+	nonce = Column(Text)
+	auth_time = Column(
+		Integer, nullable=False,
+		default=lambda: int(time.time())
+	)
+
+	user_id = Column(Integer, ForeignKey('users.id', ondelete='CASCADE'))
+	account_id = Column(String(255), ForeignKey('account.id', ondelete='CASCADE'))
+
+	code_challenge = Column(Text)
+	code_challenge_method = Column(String(48))
+
+	def is_expired(self):
+		return self.auth_time + 300 < time.time()
+
+	def get_redirect_uri(self):
+		return self.redirect_uri
+
+	def get_scope(self):
+		return self.scope
+
+	def get_auth_time(self):
+		return self.auth_time
+
+	def get_nonce(self):
+		return self.nonce
+
+# FIXME: temporary until authlib 1.0 is released
+def list_to_scope(scope):
+	"""Convert a list of scopes to a space separated string."""
+	if isinstance(scope, (set, tuple, list)):
+		return " ".join([to_unicode(s) for s in scope])
+	if scope is None:
+		return scope
+	return to_unicode(scope)
+
+
+def scope_to_list(scope):
+	"""Convert a space separated string to a list of scopes."""
+	if isinstance(scope, (tuple, list, set)):
+		return [to_unicode(s) for s in scope]
+	elif scope is None:
+		return None
+	return scope.strip().split()
diff --git a/drywall/auth_oauth.py b/drywall/auth_oauth.py
new file mode 100644
index 0000000..6367c08
--- /dev/null
+++ b/drywall/auth_oauth.py
@@ -0,0 +1,368 @@
+# coding: utf-8
+"""
+Contains the necessary Authlib setup bits for OAuth2.
+
+This code is, admittedly, a huge mess. If you're familiar with Authlib,
+feel free to send a MR with cleanups where you deem necessary.
+"""
+from drywall.auth_models import User, Client, Token, AuthorizationCode
+from drywall.auth import current_user, username_valid
+from drywall import app
+from drywall import db
+from drywall import objects
+# FIXME: temporary until authlib 1.0 is released
+from drywall.auth_models import list_to_scope
+
+from authlib.integrations.flask_oauth2 import AuthorizationServer, ResourceProtector
+from authlib.oauth2 import OAuth2Error
+from authlib.oauth2.rfc6749 import grants
+from authlib.oauth2.rfc6750 import BearerTokenValidator
+from authlib.oauth2.rfc7009 import RevocationEndpoint
+from authlib.oauth2.rfc7636 import CodeChallenge
+from flask import render_template, redirect, url_for
+import flask
+from secrets import token_urlsafe
+from sqlalchemy.orm import Session
+import time
+from uuid import uuid4
+
+# Client-related functions
+
+def get_clients_owned_by_user(owner_id):
+	"""
+	Returns a list of Client dicts owned by the user with the provided ID.
+
+	Returns None if none are found.
+	"""
+	clients = []
+	with Session(db.engine) as db_session:
+		query = db_session.query(Client).\
+				filter(Client.owner_id == owner_id).all() # noqa: ET126
+		if not query:
+			return []
+		for client in query:
+			clients.append(client.to_dict())
+		return clients
+
+def get_auth_tokens_for_user(user_id):
+	"""
+	Returns a list of AuthorizationCode objects which act on behalf of
+	the user with the provided ID.
+
+	Returns None if none are found.
+	"""
+	tokens = []
+	with Session(db.engine) as db_session:
+		query = db_session.query(AuthorizationCode).\
+				filter(AuthorizationCode.user_id == user_id).all() # noqa: ET126
+		if not query:
+			return []
+		for token in query:
+			tokens.append(token)
+		return tokens
+
+def get_client_by_id(client_id):
+	"""
+	Returns a dict from a Client object with the provided ID.
+
+	Returns None if a client with the given ID is not found.
+	"""
+	with Session(db.engine) as db_session:
+		client = db_session.query(Client).get(client_id)
+		if not client:
+			return None
+		return client.to_dict()
+
+def get_client_if_owned_by_user(user_id, client_id):
+	"""
+	Returns a dict from a Client object if the user with the provided ID
+	is its owner.
+
+	Returns False if the client is not owned by the user.
+	Returns None if a client with the given ID is not found.
+	"""
+	client = get_client_by_id(client_id)
+	if not client:
+		return None
+	if not client['owner_id'] == user_id:
+		return False
+	return client
+
+def create_client(client_dict):
+	"""
+	Creates a new client from the provided client dict, which contains
+	the following variables:
+
+	- name (string) - contains the name of the client.
+	- description (string) - contains the description.
+	- type (string) - 'userapp' or 'bot'
+	- uri  (string) - contains URI
+	- scopes (list) - list of chosen scopes
+	- owner_id (id) - user ID of the creator
+	- owner_account_id (id) - account ID of the creator
+
+	This automatically creates an account in case of a bot account, and
+	adds the resulting client to the database.
+
+	Returns the created client.
+	"""
+	if 'description' not in client_dict.keys():
+		client_dict['description'] = ""
+
+	with Session(db.engine) as db_session:
+		client = Client(
+			client_id=str(uuid4()),
+			client_id_issued_at=int(time.time()),
+			client_type=client_dict['type'],
+			owner_id=client_dict['owner_id']
+		)
+
+		client_metadata = {
+			"client_name": client_dict['name'],
+			"client_description": client_dict['description'],
+			"grant_types": ['authorization_code', 'implicit', 'refreshtoken'],
+			"client_uri": client_dict['uri'],
+			"redirect_uris": client_dict['uri'],
+			"response_types": ['code'],
+			"scope": list_to_scope(client_dict['scopes']),
+			"token_endpoint_auth_method": 'client_secret_password'
+		}
+		client.set_client_metadata(client_metadata)
+
+		client.client_secret = token_urlsafe(32)
+
+		if client_dict['type'] == 'bot':
+			if not username_valid(client_dict['name']):
+				raise ValueError('Invalid username for bot account!')
+			account_dict = {
+				"object_type": "account",
+				"username": client_dict['name'],
+				"bot": True,
+				"bot_owner": client_dict['owner_account_id']
+			}
+			account_object = objects.make_object_from_dict(account_dict)
+			db.add_object(account_object)
+			client.bot_account_id = vars(account_object)['id']
+
+		db_session.add(client)
+		db_session.commit()
+		return client.to_dict()
+
+def edit_client(client_id, client_dict):
+	"""
+	Updates the client in the database with the provided variables.
+
+	Returns the updated client as a dict.
+	"""
+	with Session(db.engine) as db_session:
+		client = db_session.query(Client).get(client_id)
+		if not client:
+			return None
+
+		client_metadata = client.client_metadata.copy()
+		for val in ['name', 'description', 'uri', 'scopes']:
+			if val in client_dict:
+				if val == 'scopes':
+					client_metadata["scope"] = list_to_scope(client_dict['scopes'])
+				else:
+					client_metadata["client_" + val] = client_dict[val]
+		client.set_client_metadata(client_metadata)
+
+		if client.client_type == 'bot' and 'name' in client_dict:
+			account_id = client.bot_account_id
+			account = db.get_object_as_dict_by_id(account_id)
+			if account['username'] != client_dict['name']:
+				if not username_valid(client_dict['name']):
+					raise ValueError('Invalid username for bot account!')
+				account['username'] = client_dict['name']
+				account_object = objects.make_object_from_dict(account, extend=account_id)
+				db.push_object(account_id, account_object)
+
+		db_session.commit()
+		# FIXME: This should return client.to_dict() but that doesn't update
+		#        client_metadata for some reason.
+		return get_client_by_id(client_id)
+
+def remove_client(client_id):
+	"""
+	Removes a client by ID. Returns the deleted client's ID.
+	"""
+	with Session(db.engine) as db_session:
+		client = db_session.query(Client).get(client_id)
+		if not client:
+			return None
+		db_session.delete(client)
+		db_session.commit()
+	return client_id
+
+#
+# -*-*- AuthLib stuff starts here -*-*-
+#
+
+# Helper functions
+
+def query_client(client_id):
+	"""Gets a Client object by ID. Returns None if not found."""
+	with Session(db.engine) as db_session:
+		return db_session.query(Client).filter_by(client_id=client_id).first()
+
+def save_token(token_data, request):
+	"""Saves a token to the database."""
+	if request.user:
+		user_id = request.user.get_user_id()
+		account_id = request.user.account_id
+	else:
+		user_id = request.client.user_id
+		user_id = request.client.account_id
+	with Session(db.engine) as db_session:
+		token = Token(
+			client_id=request.client.client_id,
+			user_id=user_id,
+			account_id=account_id,
+			**token_data
+		)
+		db_session.add(token)
+		db_session.commit()
+
+
+# Initialize the authorization server.
+authorization_server = AuthorizationServer(
+	app, query_client=query_client, save_token=save_token
+)
+
+authorization_server.init_app(app)
+
+# Implement available grants
+# In our case, these are: AuthorizationCode, Implicit, RefreshToken
+class AuthorizationCodeGrant(grants.AuthorizationCodeGrant):
+	TOKEN_ENDPOINT_AUTH_METHODS = ['client_secret_basic', 'client_secret_post']
+
+	def save_authorization_code(self, code, request):
+		client = request.client
+		with Session(db.engine) as db_session:
+			auth_code = AuthorizationCode(
+				code=code,
+				client_id=client.client_id,
+				redirect_uri=request.redirect_uri,
+				scope=request.scope,
+				user_id=request.user.id,
+				account_id=request.user.account_id,
+			)
+			db_session.add(auth_code)
+			db_session.commit()
+			return auth_code
+
+	def query_authorization_code(self, code, client):
+		with Session(db.engine) as db_session:
+			item = db_session.query(AuthorizationCode).filter_by(code=code, client_id=client.client_id).first()
+			if item and not item.is_expired():
+					return item
+
+	def delete_authorization_code(self, authorization_code):
+		with Session(db.engine) as db_session:
+			db_session.delete(authorization_code)
+			db_session.commit()
+
+	def authenticate_user(self, authorization_code):
+		with Session(db.engine) as db_session:
+			return db_session.query(User).get(authorization_code.user_id)
+
+
+class RefreshTokenGrant(grants.RefreshTokenGrant):
+	def authenticate_refresh_token(self, refresh_token):
+		with Session(db.engine) as db_session:
+			item = db_session.query(Token).filter_by(refresh_token=refresh_token).first()
+			if item and item.is_refresh_token_valid():
+				return item
+
+	def authenticate_user(self, credential):
+		with Session(db.engine) as db_session:
+			return db_session.query(User).get(credential.user_id)
+
+	def revoke_old_credential(self, credential):
+		with Session(db.engine) as db_session:
+			credential.revoked = True
+			db_session.add(credential)
+			db_session.commit()
+
+
+# Register all the grant endpoints
+authorization_server.register_grant(AuthorizationCodeGrant, [CodeChallenge(required=False)])
+authorization_server.register_grant(grants.ImplicitGrant)
+authorization_server.register_grant(RefreshTokenGrant)
+
+# Add revocation endpoint
+class _RevocationEndpoint(RevocationEndpoint):
+	def query_token(self, token, token_type_hint, client):
+		q = Token.query.filter_by(client_id=client.client_id)
+		if token_type_hint == 'access_token':
+				return q.filter_by(access_token=token).first()
+		elif token_type_hint == 'refresh_token':
+				return q.filter_by(refresh_token=token).first()
+		# without token_type_hint
+		item = q.filter_by(access_token=token).first()
+		if item:
+				return item
+		return q.filter_by(refresh_token=token).first()
+
+	def revoke_token(self, token):
+		token.revoked = True
+		db.session.add(token)
+		db.session.commit()
+
+
+authorization_server.register_endpoint(_RevocationEndpoint)
+
+# Define resource server/resource protector
+class _BearerTokenValidator(BearerTokenValidator):
+	def authenticate_token(self, token_string):
+		return Token.query.filter_by(access_token=token_string).first()
+
+	def request_invalid(self, request):
+		return False
+
+	def token_revoked(self, token):
+		return token.revoked
+
+
+require_oauth = ResourceProtector()
+require_oauth.register_token_validator(_BearerTokenValidator())
+
+# Flask endpoints
+
+@app.route('/oauth/authorize', methods=['GET', 'POST'])
+def authorize():
+	"""
+	OAuth2 authorization endpoint. Shows an authentication dialog for the
+	logged-in user, which allows them to see the permissions required
+	by the app they're authenticating.
+	"""
+	user = current_user()
+	if not user:
+		return redirect(url_for('auth_login', next=flask.request.url))
+	if flask.request.method == 'GET':
+		try:
+			grant = authorization_server.validate_consent_request(end_user=user)
+		except OAuth2Error as error:
+			return str(error), 400
+		return render_template('auth/oauth_authorize.html', user=user, grant=grant)
+	grant_user = user
+	return authorization_server.create_authorization_response(grant_user=grant_user)
+
+@app.route('/oauth/revoke', methods=['POST'])
+def revoke_token():
+	"""OAuth2 token revocation endpoint."""
+	return authorization_server.create_endpoint_response(_RevocationEndpoint.ENDPOINT_NAME)
+
+@app.route('/oauth/token', methods=['POST'])
+def issue_token():
+	"""OAuth2 token issuing endpoint."""
+	return authorization_server.create_token_response()
+
+@app.route('/oauth/authorize/success', methods=['GET'])
+def authorize_success():
+	"""
+	Default redirect URI.
+	"""
+	return flask.render_template('auth/oauth_code_uri.html',
+		code=flask.request.args.get('code'))
diff --git a/drywall/db.py b/drywall/db.py
index f25d0ff..671523e 100644
--- a/drywall/db.py
+++ b/drywall/db.py
@@ -6,6 +6,7 @@
 from sqlalchemy import create_engine
 from sqlalchemy.orm import Session
 from drywall import db_models as models
+from drywall import auth_models # noqa: F401
 from drywall import config
 
 # !!! IMPORTANT !!! --- !!! IMPORTANT !!! --- !!! IMPORTANT !!!
@@ -29,10 +30,6 @@
 
 models.Base.metadata.create_all(engine)
 
-# The current client DB functions are due to be deprecated once we add authlib
-# support. Thus, we'll re-use the old dummy DB backend functions for it.
-client_db = {}
-
 # Helper functions
 
 def clean_object_dict(object_dict, object_type):
@@ -159,93 +156,3 @@ def get_object_by_key_value_pair(object_type, key_value_dict, limit_objects=Fals
 		return matches
 	else:
 		return None
-
-# Users
-
-def get_user_by_email(email):
-	"""
-	Returns an user's username on the server by email. If not found, returns
-	None.
-	"""
-	user_dict = None
-	with Session(engine) as session:
-		query = session.query(models.User).get(email)
-		if query:
-			user_dict = query.to_dict()
-	return user_dict
-
-def add_user(user_dict):
-	"""Adds a new user to the database."""
-	with Session(engine) as session:
-		new_user = models.User()
-		for key in ['account_id', 'username', 'email', 'password']:
-			setattr(new_user, key, user_dict[key])
-		session.add(new_user)
-		session.commit()
-		new_user_dict = new_user.to_dict()
-	return new_user_dict
-
-def update_user(user_email, user_dict):
-	"""Edits a user in the database."""
-	with Session(engine) as session:
-		object = session.query(models.User).get(user_email)
-		if user_email != user_dict['email']:
-			if get_user_by_email(user_email):
-				raise ValueError("E-mail is taken")
-		for key in ['account_id', 'username', 'email', 'password']:
-			setattr(object, key, user_dict[key])
-		session.commit()
-		new_user_dict = object.to_dict()
-	return new_user_dict
-
-def remove_user(email):
-	"""Removes a user from the database."""
-	# This will be implemented once we can figure out all the related
-	# side-effects, like removing/adding stubs to orphaned objects or
-	# removing the user's Account object.
-	raise Exception('stub')
-
-# Clients
-
-def get_client_by_id(client_id):
-	"""Returns a client dict by client ID. Returns None if not found."""
-	if id in client_db:
-		return client_db['id']
-	return None
-
-def get_clients_for_user(user_id, access_type):
-	"""Returns a dict containing all clients owned/given access to by an user."""
-	return_dict = {}
-	if access_type == "owner":
-		for client_dict in client_db.values():
-			if client_dict['owner'] == user_id:
-				return_dict[client_dict['client_id']] == client_dict
-	elif access_type == "user":
-		# TODO: We should let people view the apps they're using and
-		# revoke access if needed. This will most likely require adding
-		# an extra variable to the user dict for used applications, which
-		# we could then iterate using simmilar code as above.
-		# For now, we'll stub this.
-		raise Exception('stub')
-	else:
-		raise ValueError
-	if return_dict:
-		return return_dict
-	return None
-
-def add_client(client_dict):
-	"""Adds a new client to the database."""
-	client_db[client_dict['id']] = client_dict
-	return client_dict
-
-def update_client(client_id, client_dict):
-	"""Updates an existing client"""
-	client_db[client_id] = client_dict
-	return client_dict
-
-def remove_client(client_id):
-	"""Removes a client from the database."""
-	del client_db[client_id]
-	# TODO: Handle removing removed clients from "used applications" variables
-	# in user info; since we don't implement this yet, there's no code for it
-	return client_id
diff --git a/drywall/db_models.py b/drywall/db_models.py
index 9319e4d..60b3cab 100644
--- a/drywall/db_models.py
+++ b/drywall/db_models.py
@@ -74,7 +74,7 @@ class ConferenceMember(Base, CustomSerializerMixin):
 	__tablename__ = 'conference_member'
 
 	id = Column('id', String(255), primary_key=True)
-	user_id = Column(String(255), ForeignKey('account.id'), nullable=False)
+	account_id = Column(String(255), ForeignKey('account.id'), nullable=False)
 	nickname = Column(Text)
 	parent_conference = Column(String(255), ForeignKey('conference.id'), nullable=False)
 	roles = Column(postgresql.ARRAY(String(255)))
@@ -135,19 +135,10 @@ class Report(Base, CustomSerializerMixin):
 	__tablename__ = 'report'
 
 	id = Column('id', String(255), primary_key=True)
-	target = Column(String(255), ForeignKey('objects.id'), nullable=False)
+	target = Column(String(255), ForeignKey('objects.id', ondelete="CASCADE"), nullable=False)
 	note = Column(Text)
 	submission_date = Column(DateTime, nullable=False)
 
-# User
-class User(Base, SerializerMixin):
-	__tablename__ = "users"
-
-	account_id = Column(String(255), nullable=False, unique=True)
-	email = Column(String(255), primary_key=True)
-	username = Column(String(255), nullable=False, unique=True)
-	password = Column(Text, nullable=False)
-
 # Helper functions
 
 def object_type_to_model(object_type):
diff --git a/drywall/objects.py b/drywall/objects.py
index 8b736cf..62bc689 100644
--- a/drywall/objects.py
+++ b/drywall/objects.py
@@ -4,6 +4,7 @@
 object creation.
 Usage: import the file and define an object using one of the classes
 """
+from drywall.auth import username_valid
 from drywall import db
 from drywall import utils
 
@@ -28,7 +29,7 @@ def assign_id():
 	id = uuid.uuid4()
 	return str(id)
 
-def __validate_id_key(self, key, value):
+def _validate_id_key(self, key, value):
 	"""Shorthand function to validate ID keys."""
 	test_object = db.get_object_as_dict_by_id(value)
 	if not test_object:
@@ -36,7 +37,7 @@ def __validate_id_key(self, key, value):
 	elif self.id_key_types[key] != "any" and not test_object['object_type'] == self.id_key_types[key]:
 		raise TypeError("The object given in the key '" + key + "' does not have the correct object type. (is " + test_object['object_type'] + ", should be " + self.id_key_types[key] + ")")
 
-def __strip_invalid_keys(self, object_dict):
+def _strip_invalid_keys(self, object_dict):
 	"""
 	Takes an object dict, removes all invalid values and performs a few
 	checks.
@@ -52,10 +53,10 @@ def __strip_invalid_keys(self, object_dict):
 		if key in self.valid_keys:
 			# Validate ID keys
 			if self.key_types[key] == 'id':
-				__validate_id_key(self, key, value)
+				_validate_id_key(self, key, value)
 			elif self.key_types[key] == 'id_list':
 				for id_value in value:
-					__validate_id_key(self, key, id_value)
+					_validate_id_key(self, key, id_value)
 
 			# Validate unique keys
 			if self.unique_keys:
@@ -113,10 +114,10 @@ def init_object(self, object_dict, force_id=False, patch_dict=False, federated=F
 				found_key = e.args[0]
 				if found_key in current_object and patch_dict[found_key] != current_object[found_key]:
 					raise ValueError(e)
-		final_patch_dict = __strip_invalid_keys(self, patch_dict)
+		final_patch_dict = _strip_invalid_keys(self, patch_dict)
 
 	# Add all valid keys
-	clean_object_dict = __strip_invalid_keys(self, object_dict)
+	clean_object_dict = _strip_invalid_keys(self, object_dict)
 	final_dict = {**clean_object_dict, **init_dict}
 
 	# Add default keys if needed
@@ -318,6 +319,12 @@ class Account(Object):
 	nonrewritable_keys = ["username"]
 	unique_keys = ["username"]
 
+	def __init__(self, object_dict, force_id=False, patch_dict=False, federated=False):
+		__doc__ = Object.__doc__ # noqa: F841
+		super().__init__(object_dict, force_id=force_id, patch_dict=patch_dict, federated=federated)
+		if not username_valid(object_dict['username']):
+			raise KeyError("invalid username")
+
 class Channel(Object):
 	"""
 	Contains information about a channel.
@@ -394,11 +401,11 @@ class ConferenceMember(Object):
 	"""
 	type = 'object'
 	object_type = 'conference_member'
-	valid_keys = ["user_id", "nickname", "parent_conference", "roles", "permissions", "banned"]
-	required_keys = ["user_id", "permissions", "parent_conference"]
+	valid_keys = ["account_id", "nickname", "parent_conference", "roles", "permissions", "banned"]
+	required_keys = ["account_id", "permissions", "parent_conference"]
 	default_keys = {"banned": False, "roles": [], "permissions": "21101"}
-	key_types = {"user_id": "id", "nickname": "string", "parent_conference": "id", "roles": "id_list", "permissions": "permission_map", "banned": "boolean"}
-	id_key_types = {"user_id": "account", "roles": "role", "parent_conference": "conference"}
+	key_types = {"account_id": "id", "nickname": "string", "parent_conference": "id", "roles": "id_list", "permissions": "permission_map", "banned": "boolean"}
+	id_key_types = {"account_id": "account", "roles": "role", "parent_conference": "conference"}
 	nonrewritable_keys = []
 
 class Invite(Object):
diff --git a/drywall/templates/auth/oauth_authorize.html b/drywall/templates/auth/oauth_authorize.html
new file mode 100644
index 0000000..dfdcb70
--- /dev/null
+++ b/drywall/templates/auth/oauth_authorize.html
@@ -0,0 +1,29 @@
+{% extends 'base-auth.html' %}
+
+{% block header %}
+  <h1>{% block title %}authorize{% endblock %}</h1>
+{% endblock %}
+
+{% block icon %}robot{% endblock %}
+
+{% block content %}
+<p>The application <strong>{{grant.client.client_name}}</strong> is requesting:
+<strong>{{ grant.request.scope }}</strong>
+</p>
+
+	<p>(you are currently logged in as {{user.username}})</p>
+<form action="" method="post">
+  <label>
+    <input type="checkbox" name="confirm">
+    <span>Consent?</span>
+  </label>
+  {% if not user %}
+  <p>You haven't logged in. Log in with:</p>
+  <div>
+    <input type="text" name="username">
+  </div>
+  {% endif %}
+  <br>
+  <button>Submit</button>
+</form>
+{% endblock %}
diff --git a/drywall/templates/auth/oauth_code_uri.html b/drywall/templates/auth/oauth_code_uri.html
new file mode 100644
index 0000000..138e6f2
--- /dev/null
+++ b/drywall/templates/auth/oauth_code_uri.html
@@ -0,0 +1,12 @@
+{% extends 'base-auth.html' %}
+
+{% block header %}
+  <h1>{% block title %}success!{% endblock %}</h1>
+{% endblock %}
+
+{% block icon %}robot{% endblock %}
+
+{% block content %}
+<p>Log into your application using the following code:
+<Br><pre><code>{{code}}</code></pre></p>
+{% endblock %}
diff --git a/drywall/templates/settings/clients.html b/drywall/templates/settings/clients.html
index 520f002..b99d4f8 100644
--- a/drywall/templates/settings/clients.html
+++ b/drywall/templates/settings/clients.html
@@ -12,22 +12,22 @@ <h1>{% block title %}apps and clients{% endblock %}</h1>
 
 <h2>My apps</h2>
 <div id="my-apps">
-{% if user_apps %}
-	{% for app in user_apps %}
+{% if apps_owned %}
+	{% for app in apps_owned %}
 	<div class="app">
 		<h3>
-		{% if app['type'] == "bot" %}
+		{% if app['client_type'] == "bot" %}
 <i class="fas fa-robot" title="{{ app['name'] }} is a bot."></i>
-		{% elif app['type'] == "userapp" %}
+		{% elif app['client_type'] == "userapp" %}
 <i class="fas fa-code" title="{{ app['name'] }} is a user app."></i>
 		{% endif %}
-{{ app['name'] }}
+{{ app['client_metadata']['client_name'] }}
 		</h3>
 		<a class="button" style="float: right;" href="/settings/clients/{{ app['client_id'] }}"><i class="fas fa-pencil-alt" style="margin-right: 2px;"></i> Edit</a>
-		<div class="description" style="margin-bottom: 5px; line-height: 1.5em;">{{ app['description'] }}</div>
+		<div class="description" style="margin-bottom: 5px; line-height: 1.5em;">{{ app['client_metadata']['client_description'] }}</div>
 		<div style="font-size: 0.9em; color: #ddd;">Client ID: {{ app['client_id'] }}</div>
-		{% if app['type'] == "bot" %}
-		<div style="font-size: 0.9em; color: #ddd;">Account ID: {{ app['account_id'] }}</div>
+		{% if app['client_type'] == "bot" %}
+		<div style="font-size: 0.9em; color: #ddd;">Account ID: {{ app['bot_account_id'] }}</div>
 		{% endif %}
 		<div class="app-buttonbox"></div>
 	</div>
@@ -38,5 +38,25 @@ <h3>
 </div>
 
 <h2>Apps with access to my account</h2>
-<div>Nothing here!</div>
+{% if apps_with_access %}
+	{% for app in apps_with_access%}
+	<div class="app">
+		<h3>
+		{% if app['client_type'] == "bot" %}
+<i class="fas fa-robot" title="{{ app['name'] }} is a bot."></i>
+		{% elif app['client_type'] == "userapp" %}
+<i class="fas fa-code" title="{{ app['name'] }} is a user app."></i>
+		{% endif %}
+{{ app['client_metadata']['client_name'] }}
+		</h3>
+		<div class="description" style="margin-bottom: 5px; line-height: 1.5em;">{{ app['client_metadata']['client_description'] }}</div>
+		<div style="font-size: 0.9em; color: #ddd;">Client ID: {{ app['client_id'] }}</div>
+		{% if app['client_type'] == "bot" %}
+		<div style="font-size: 0.9em; color: #ddd;">Account ID: {{ app['bot_account_id'] }}</div>
+		{% endif %}
+	</div>
+	{% endfor %}
+{% else %}
+	<span>Nothing here!</span>
+{% endif %}
 {% endblock %}
diff --git a/drywall/templates/settings/clients_edit.html b/drywall/templates/settings/clients_edit.html
index 0c82e61..2071634 100644
--- a/drywall/templates/settings/clients_edit.html
+++ b/drywall/templates/settings/clients_edit.html
@@ -3,7 +3,7 @@
 {% block icon %}pencil-alt{% endblock %}
 
 {% block header %}
-<h1>{% block title %}editing "{{ app_dict['name'] }}"{% endblock %}</h1>
+<h1>{% block title %}editing "{{ app_dict['client_metadata']['client_name'] }}"{% endblock %}</h1>
 {% endblock %}
 
 {% block settings %}
@@ -11,9 +11,9 @@ <h1>{% block title %}editing "{{ app_dict['name'] }}"{% endblock %}</h1>
     <input type="submit" id="submit" class="button" value="submit">
 	<h2>App details</h2>
     <label for="name">name</label>
-    <input name="name" id="name" value="{{ app_dict['name'] }}" required>
+    <input name="name" id="name" value="{{app_dict['client_metadata']['client_name']}}" required>
     <label for="description">description</label>
-    <textarea name="description" id="description" required>{{ app_dict['description'] }}</textarea>
+    <textarea name="description" id="description" required>{{ app_dict['client_metadata']['client_description'] }}</textarea>
 	<h2>App type</h2>
 	<div class="typebox">
 		<div class="type" id="type-userapp">
@@ -147,7 +147,7 @@ <h3>Roles</h3>
 				break;
 		}
 	}
-	toggletype('{{ app_dict["type"] }}');
+	toggletype('{{ app_dict["client_type"] }}');
 </script>
 <style>
 .typebox { display: block; }
diff --git a/drywall/templates/settings/clients_remove.html b/drywall/templates/settings/clients_remove.html
index 8871b0f..de60cc3 100644
--- a/drywall/templates/settings/clients_remove.html
+++ b/drywall/templates/settings/clients_remove.html
@@ -3,11 +3,11 @@
 {% block icon %}laptop{% endblock %}
 
 {% block header %}
-<h1>{% block title %}removing "{{ app_dict['name'] }}"{% endblock %}</h1>
+<h1>{% block title %}removing "{{ app_dict["client_metadata"]["client_name"] }}"{% endblock %}</h1>
 {% endblock %}
 
 {% block settings %}
-<h2>Are you sure you want to remove the app "{{ app_dict["name"] }}"?</h2>
+<h2>Are you sure you want to remove the app "{{ app_dict["client_metadata"]["client_name"] }}"?</h2>
 <p style="margin: 2px 0;">This action is <b>irreversible</b>. Access to your app will automatically be revoked for all users.</p>
 <a class="button" style="float: left; max-width: max-content; margin-top: 10px;" href="/settings/clients/{{ app_dict["client_id"] }}"><i class="fas fa-chevron-left"></i> Cancel</a>
 <form method="post" style="display: inline;"><button style="background-color: #a40d0d; font-size: 1em; margin-top: 10px;" type="submit" id="submit" class="button"><i class="fas fa-trash"></i> Remove</button></form>
diff --git a/drywall/web.py b/drywall/web.py
index 51968f4..61adb89 100644
--- a/drywall/web.py
+++ b/drywall/web.py
@@ -1,57 +1,45 @@
 # encoding: utf-8
 """
-Contains endpoints for the backend's default pages, such as the about
-pages. Authentication pages are defined in the auth module.
+Contains endpoints for the backend's default pages, such as the about pages.
+
+For sign-up/log-in pages, see the auth submodule.
+For OAuth-related pages (/oauth/*), see the auth_oauth submodule.
+For user settings (/settings/*), see the web_settings submodule.
 """
 from drywall import app
-from drywall import auth
 from drywall import config
 from drywall import db
-from drywall import objects
-from drywall import utils
-
-from flask import flash, redirect, render_template, request, session, url_for
-from email_validator import validate_email, EmailNotValidError
+from drywall import web_settings # noqa: F401
 
-######################
-# Index, information #
-######################
+from flask import flash, redirect, render_template, url_for
 
-@app.route('/')
-def index_page():
-	"""Index page."""
+def _info_page(template):
+	"""Shorthand for info page initialization."""
 	instance = db.get_object_as_dict_by_id("0")
-	return render_template("index.html",
+	return render_template(template,
 	                       instance_name=instance["name"],
 	                       instance_description=instance["description"],
 	                       instance_domain=instance["address"])
 
+@app.route('/')
+def index_page():
+	"""Index page."""
+	return _info_page("index.html")
+
 @app.route('/about')
 def about_page():
 	"""About page."""
-	instance = db.get_object_as_dict_by_id("0")
-	return render_template("about/about.html",
-	                       instance_name=instance["name"],
-	                       instance_description=instance["description"],
-	                       instance_domain=instance["address"])
+	return _info_page("about/about.html")
 
 @app.route('/about/rules')
 def rules_page():
 	"""Rules page."""
-	instance = db.get_object_as_dict_by_id("0")
-	return render_template("about/rules.html",
-	                       instance_name=instance["name"],
-	                       instance_description=instance["description"],
-	                       instance_domain=instance["address"])
+	return _info_page("about/rules.html")
 
 @app.route('/about/tos')
 def tos_page():
 	"""ToS page."""
-	instance = db.get_object_as_dict_by_id("0")
-	return render_template("about/tos.html",
-	                       instance_name=instance["name"],
-	                       instance_description=instance["description"],
-	                       instance_domain=instance["address"])
+	return _info_page("about/tos.html")
 
 @app.route('/client')
 def client_page():
@@ -59,227 +47,4 @@ def client_page():
 	if config.get('client_page'):
 		return redirect(config.get('client_page'))
 	flash("Client has not been set up! You have been taken to the settings page.")
-	return redirect(url_for('settings_page'))
-
-#################
-# User settings #
-#################
-
-@app.route('/settings')
-def settings_page():
-	"""Settings page."""
-	if "user_id" in session:
-		return redirect(url_for('settings_account'))
-	return redirect(url_for('auth_login'))
-
-@app.route('/settings/account', methods=["GET", "POST"])
-def settings_account():
-	"""Account settings."""
-	if "user_id" not in session:
-		return redirect(url_for('auth_login'))
-	if request.method == "POST":
-		session["user_dict"] = db.get_object_as_dict_by_id(session["user_id"])
-		request_form = dict(request.form)
-		account_dict = db.get_object_as_dict_by_id(session['user_id']).copy()
-		user_dict = db.get_user_by_email(account_dict['email']).copy()
-		username = request_form['username']
-		try:
-			email = validate_email(request_form['email']).email
-		except EmailNotValidError as e:
-			flash(str(e))
-		old_email = account_dict['email']
-		if account_dict['username'] != username:
-			account_dict['username'] = username,
-			# Weird bug: during testing, the username set itself to "('USERNAME',)"
-			# no matter what I did. The following line avoids this, and hopefully
-			# won't cause any trouble in the future.
-			account_dict['username'] = tuple(account_dict['username'])[0]
-			user_dict['username'] = account_dict['username']
-		if account_dict['email'] != email:
-			account_dict['email'] = email
-			user_dict['email'] = email
-		try:
-			db.push_object(session['user_id'], objects.make_object_from_dict(account_dict, extend=session['user_id']))
-			db.update_user(old_email, user_dict)
-		except (KeyError, ValueError, TypeError) as e:
-			flash(str(e))
-		session["user_dict"] = db.get_object_as_dict_by_id(session["user_id"])
-		return redirect(url_for('settings_account'))
-	instance = db.get_object_as_dict_by_id("0")
-	session["user_dict"] = db.get_object_as_dict_by_id(session["user_id"])
-	if not db.get_object_as_dict_by_id(session["user_id"]):
-		return redirect(url_for('auth_logout'))
-	user_dict = session['user_dict']
-	return render_template("settings/account.html",
-	                       user_dict=user_dict,
-	                       user_name=user_dict["username"],
-	                       user_email=user_dict["email"],
-	                       instance_name=instance["name"],
-	                       instance_description=instance["description"],
-	                       instance_domain=instance["address"],
-	                       settings_subpage=False,
-	                       settings_category="account")
-
-scopebox_scopes = {"account-read": "account:read", # noqa: E305
-    "account-write": "account:write",
-    "conference-read": "conference:read",
-    "conference-moderate": "conference:moderate",
-    "channel-read": "channel:read",
-    "channel-write": "channel:write",
-    "channel-moderate": "channel:moderate",
-    "message-write": "message:write",
-    "message-moderate": "message:moderate",
-    "invite-create": "invite:create",
-    "conference-member-write-nick": "conference_member:write_nick",
-    "conference-member-moderate-nick": "conference_member:moderate_nick",
-    "conference-member-kick": "conference_member:kick",
-    "conference-member-ban": "conference_member:ban",
-    "role-moderate": "role-moderate"}
-
-def web_scopebox_to_scopes(form_dict, cleanup_form_dict=False):
-	"""Turns a scopebox's output from a web form to a valid scopes value."""
-	scopes = {}
-	if cleanup_form_dict:
-		ret_form_dict = form_dict.copy()
-	for scope, proper_scope in scopebox_scopes.items():
-		if scope in form_dict and form_dict[scope] == 'on':
-			scopes[proper_scope] = True
-			if cleanup_form_dict:
-				del ret_form_dict[scope]
-	if cleanup_form_dict:
-		return (scopes, ret_form_dict)
-	else:
-		return scopes
-
-@app.route('/settings/clients', methods=["GET", "POST"])
-def settings_clients():
-	"""OAuth client settings."""
-	if "user_id" not in session:
-		return redirect(url_for('auth_login'))
-	instance = db.get_object_as_dict_by_id("0")
-	session["user_dict"] = db.get_object_as_dict_by_id(session["user_id"])
-	if not db.get_object_as_dict_by_id(session["user_id"]):
-		return redirect(url_for('auth_logout'))
-	user_dict = session['user_dict']
-	return render_template("settings/clients.html",
-	                       user_dict=user_dict,
-	                       user_name=user_dict["username"],
-	                       user_email=user_dict["email"],
-	                       user_apps=db.get_clients_for_user(user_dict['id'], 'owner'),
-	                       instance_name=instance["name"],
-	                       instance_description=instance["description"],
-	                       instance_domain=instance["address"],
-	                       settings_subpage=False,
-	                       settings_category="clients")
-
-@app.route('/settings/clients/new', methods=["GET", "POST"])
-def settings_clients_new():
-	"""New app creation."""
-	if "user_id" not in session:
-		return redirect(url_for('auth_login'))
-	instance = db.get_object_as_dict_by_id("0")
-	session["user_dict"] = db.get_object_as_dict_by_id(session["user_id"])
-	if not db.get_object_as_dict_by_id(session["user_id"]):
-		return redirect(url_for('auth_logout'))
-	user_dict = session['user_dict']
-	if len(db.get_clients_for_user(user_dict['id'], 'owner')) >= 25:
-		flash("Maximum amount of apps (25) has been reached. Remove unused apps and try again.")
-		return redirect(url_for('settings_clients'))
-	if request.method == "POST":
-		client_dict_info = web_scopebox_to_scopes(dict(request.form), cleanup_form_dict=True)
-		client_dict = client_dict_info[1]
-		client_dict["scopes"] = client_dict_info[0]
-		client_dict["owner"] = session["user_id"]
-		auth.create_client(client_dict)
-		return redirect(url_for('settings_clients'))
-	return render_template("settings/clients_new.html",
-	                       user_dict=user_dict,
-	                       user_name=user_dict["username"],
-	                       user_email=user_dict["email"],
-	                       instance_name=instance["name"],
-	                       instance_description=instance["description"],
-	                       instance_domain=instance["address"],
-	                       settings_subpage=True,
-	                       settings_category="clients")
-
-@app.route('/settings/clients/<client_id>', methods=["GET", "POST"])
-def settings_clients_edit(client_id):
-	"""App editing."""
-	if "user_id" not in session:
-		return redirect(url_for('auth_login'))
-	if client_id == "":
-		return redirect(url_for('settings_clients'))
-	user_dict = session['user_dict']
-	user_apps = db.get_clients_for_user(user_dict['id'], 'owner')
-	app_dict = None
-	for oauth_app in user_apps:
-		if oauth_app["client_id"] == client_id:
-			app_dict = oauth_app
-			break
-	if not app_dict:
-		return render_template("settings/clients_404.html"), 404
-	app_scopes = app_dict["scopes"].copy()
-	app_scopes = utils.replace_values_in_dict_by_value({"True": "checked"}, app_scopes)
-	app_scopes = utils.fill_dict_with_dummy_values(scopebox_scopes.values(), app_scopes, dummy="")
-	if request.method == "POST":
-		client_dict_info = web_scopebox_to_scopes(dict(request.form), cleanup_form_dict=True)
-		client_dict = client_dict_info[1]
-		client_dict["type"] = app_dict["type"]
-		client_dict["scopes"] = client_dict_info[0]
-		client_dict["owner"] = app_dict["owner"]
-		if client_dict["type"] == "bot":
-			client_dict["account_id"] = app_dict["account_id"]
-		client_dict["client_id"] = app_dict["client_id"]
-		client_dict["client_secret"] = app_dict["client_secret"]
-		auth.edit_client(app_dict["client_id"], client_dict)
-		return redirect('/settings/clients')
-	instance = db.get_object_as_dict_by_id("0")
-	session["user_dict"] = db.get_object_as_dict_by_id(session["user_id"])
-	if not db.get_object_as_dict_by_id(session["user_id"]):
-		return redirect(url_for('auth_logout'))
-	return render_template("settings/clients_edit.html",
-	                       user_dict=user_dict,
-	                       user_name=user_dict["username"],
-	                       user_email=user_dict["email"],
-	                       app_dict=app_dict,
-	                       app_scopes=app_scopes,
-	                       instance_name=instance["name"],
-	                       instance_description=instance["description"],
-	                       instance_domain=instance["address"],
-	                       settings_subpage=True,
-	                       settings_category="clients")
-
-@app.route('/settings/clients/<client_id>/remove', methods=["GET", "POST"])
-def settings_clients_edit_remove(client_id):
-	"""App removal (not to be confused with revoking)."""
-	if "user_id" not in session:
-		return redirect(url_for('auth_login'))
-	if client_id == "":
-		return redirect(url_for('settings_clients'))
-	user_dict = session['user_dict']
-	user_apps = db.get_clients_for_user(user_dict['id'], 'owner')
-	app_dict = None
-	for oauth_app in user_apps:
-		if oauth_app["client_id"] == client_id:
-			app_dict = oauth_app
-			break
-	if not app_dict:
-		return render_template("settings/clients_404.html"), 404
-	if request.method == "POST":
-		db.remove_client(app_dict["client_id"])
-		flash("Removed " + app_dict["name"] + ".")
-		return redirect('/settings/clients')
-	instance = db.get_object_as_dict_by_id("0")
-	session["user_dict"] = db.get_object_as_dict_by_id(session["user_id"])
-	if not db.get_object_as_dict_by_id(session["user_id"]):
-		return redirect(url_for('auth_logout'))
-	return render_template("settings/clients_remove.html",
-	                       user_dict=user_dict,
-	                       user_name=user_dict["username"],
-	                       user_email=user_dict["email"],
-	                       app_dict=app_dict,
-	                       instance_name=instance["name"],
-	                       instance_description=instance["description"],
-	                       instance_domain=instance["address"],
-	                       settings_subpage=True,
-	                       settings_category="clients")
+	return redirect(url_for('settings_redirect'))
diff --git a/drywall/web_settings.py b/drywall/web_settings.py
new file mode 100644
index 0000000..9b671ad
--- /dev/null
+++ b/drywall/web_settings.py
@@ -0,0 +1,194 @@
+# coding: utf-8
+"""
+Contains the endpoints for user account settings.
+
+For sign-up/log-in pages, see the auth submodule.
+For OAuth-related pages (/oauth/*), see the auth_oauth submodule.
+For information pages (/about/*), see the web submodule.
+"""
+from drywall import app
+from drywall import auth
+from drywall import auth_oauth
+from drywall import auth_models
+from drywall import config
+from drywall import db
+from drywall import utils
+
+from flask import flash, redirect, render_template, request, session, url_for
+
+# Helper functions
+
+def _settings_sanity_checks():
+	"""Sanity checks for settings pages."""
+	# If not logged in, send to log-in page
+	if "user_id" not in session:
+		return redirect(url_for('auth_login'))
+
+	# Log out user in case the user's account has been deleted
+	session["account_dict"] = db.get_object_as_dict_by_id(session["account_id"])
+	if not session["account_dict"]:
+		return redirect(url_for('auth_logout'))
+
+	return False
+
+def _settings_render(template, category, is_subpage=False, **kwargs):
+	"""Template for rendering simple settings pages."""
+	instance = db.get_object_as_dict_by_id("0")
+	user_dict = session['account_dict']
+	return render_template(template,
+	                       user_dict=user_dict,
+	                       user_name=user_dict["username"],
+	                       user_email=user_dict["email"],
+	                       instance_name=instance["name"],
+	                       instance_description=instance["description"],
+	                       instance_domain=instance["address"],
+	                       settings_subpage=is_subpage,
+	                       settings_category=category,
+						   **kwargs)
+
+scopebox_scopes = {"account-read": "account:read", # noqa: E305
+    "account-write": "account:write",
+    "conference-read": "conference:read",
+    "conference-moderate": "conference:moderate",
+    "channel-read": "channel:read",
+    "channel-write": "channel:write",
+    "channel-moderate": "channel:moderate",
+    "message-write": "message:write",
+    "message-moderate": "message:moderate",
+    "invite-create": "invite:create",
+    "conference-member-write-nick": "conference_member:write_nick",
+    "conference-member-moderate-nick": "conference_member:moderate_nick",
+    "conference-member-kick": "conference_member:kick",
+    "conference-member-ban": "conference_member:ban",
+    "role-moderate": "role-moderate"}
+
+def web_scopebox_to_scopes(form_dict, cleanup_form_dict=False):
+	"""Turns a scopebox's output from a web form to a valid scopes value."""
+	scopes = {}
+	if cleanup_form_dict:
+		ret_form_dict = form_dict.copy()
+	for scope, proper_scope in scopebox_scopes.items():
+		if scope in form_dict and form_dict[scope] == 'on':
+			scopes[proper_scope] = True
+			if cleanup_form_dict:
+				del ret_form_dict[scope]
+	if cleanup_form_dict:
+		return (scopes, ret_form_dict)
+	else:
+		return scopes
+
+# Account settings
+
+@app.route('/settings')
+def settings_redirect():
+	"""Settings page."""
+	if "user_id" in session:
+		return redirect(url_for('settings_account'))
+	return redirect(url_for('auth_login'))
+
+@app.route('/settings/account', methods=["GET", "POST"])
+def settings_account():
+	"""Account settings."""
+	_sanity_check = _settings_sanity_checks()
+	if _sanity_check:
+		return _sanity_check
+
+	if request.method == "POST":
+		session["account_dict"] = db.get_object_as_dict_by_id(session["account_id"])
+		edit_dict = dict(request.form)
+		edit_dict['account_id'] = session["account_id"]
+		try:
+			auth.edit_user(session["user_id"], edit_dict)
+		except (KeyError, ValueError, TypeError) as e:
+			flash(str(e))
+		session["account_dict"] = db.get_object_as_dict_by_id(session["account_id"])
+		return redirect(url_for('settings_account'))
+
+	return _settings_render("settings/account.html", "account")
+
+# Client settings
+
+@app.route('/settings/clients', methods=["GET", "POST"])
+def settings_clients():
+	"""OAuth client settings."""
+	_sanity_check = _settings_sanity_checks()
+	if _sanity_check:
+		return _sanity_check
+	return _settings_render("settings/clients.html", "clients",
+							apps_owned=auth_oauth.get_clients_owned_by_user(session["user_id"]))
+
+@app.route('/settings/clients/new', methods=["GET", "POST"])
+def settings_clients_new():
+	"""New app creation."""
+	_sanity_check = _settings_sanity_checks()
+	if _sanity_check:
+		return _sanity_check
+
+	if len(auth_oauth.get_clients_owned_by_user(session['user_id'])) >= 25:
+		flash("Maximum amount of apps (25) has been reached. Remove unused apps and try again.")
+		return redirect(url_for('settings_clients'))
+
+	if request.method == "POST":
+		# Prepare a client dict with all the information from the provided form
+		client_dict_info = web_scopebox_to_scopes(dict(request.form), cleanup_form_dict=True)
+		client_dict = client_dict_info[1]
+		client_dict["scopes"] = list(client_dict_info[0].keys())
+		client_dict["owner_id"] = session["user_id"]
+		client_dict["owner_account_id"] = session["account_id"]
+		client_dict["uri"] = 'https://' + config.get('instance_domain') + '/oauth/authorize/success'
+
+		# Attempt to create a client
+		try:
+			auth_oauth.create_client(client_dict)
+		except ValueError as e:
+			flash(str(e))
+			return redirect(url_for('settings_clients_new'))
+
+		# Once done, return to client settings
+		return redirect(url_for('settings_clients'))
+
+	return _settings_render("settings/clients_new.html", "clients", is_subpage=True)
+
+@app.route('/settings/clients/<client_id>', methods=["GET", "POST"])
+def settings_clients_edit(client_id):
+	"""App editing."""
+	_sanity_check = _settings_sanity_checks()
+	if _sanity_check:
+		return _sanity_check
+
+	app_dict = auth_oauth.get_client_if_owned_by_user(session['user_id'], client_id)
+	if not app_dict:
+		return render_template("settings/clients_404.html"), 404
+
+	_app_scopes = auth_models.scope_to_list(app_dict['client_metadata']["scope"])
+	app_scopes = {}
+	for scope in _app_scopes:
+		app_scopes[scope] = "checked"
+
+	if request.method == "POST":
+		client_dict_info = web_scopebox_to_scopes(dict(request.form), cleanup_form_dict=True)
+		client_dict = client_dict_info[1]
+		client_dict["scopes"] = list(client_dict_info[0].keys())
+		auth_oauth.edit_client(app_dict["client_id"], client_dict)
+		return redirect('/settings/clients')
+
+	return _settings_render("settings/clients_edit.html", "clients", is_subpage=True,
+							app_dict=app_dict, app_scopes=app_scopes)
+
+@app.route('/settings/clients/<client_id>/remove', methods=["GET", "POST"])
+def settings_clients_edit_remove(client_id):
+	"""App removal (not to be confused with revoking)."""
+	_sanity_check = _settings_sanity_checks()
+	if _sanity_check:
+		return _sanity_check
+
+	app_dict = auth_oauth.get_client_if_owned_by_user(session['user_id'], client_id)
+	if not app_dict:
+		return render_template("settings/clients_404.html"), 404
+
+	if request.method == "POST":
+		auth_oauth.remove_client(app_dict['client_id'])
+		flash("Removed " + app_dict['client_metadata']["client_name"] + ".")
+		return redirect('/settings/clients')
+
+	return _settings_render("settings/clients_remove.html", "clients", is_subpage=True, app_dict=app_dict)
diff --git a/requirements.txt b/requirements.txt
index 20a6c1a..c9bdcca 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,6 +1,7 @@
-flask
+authlib
 email-validator
+flask
+psycopg2-binary
 simplejson
-SQLAlchemy
+SQLAlchemy>=1.4.0
 SQLAlchemy-serializer
-psycopg2-binary
diff --git a/run.sh b/run.sh
index ec36667..a4458a8 100755
--- a/run.sh
+++ b/run.sh
@@ -2,4 +2,5 @@
 # Minimal startup script for drywall
 export FLASK_ENV=development
 export FLASK_APP=drywall.api
+export AUTHLIB_INSECURE_TRANSPORT=true
 flask run
diff --git a/tests/test_api.py b/tests/test_api.py
index 4eece87..fbf952f 100644
--- a/tests/test_api.py
+++ b/tests/test_api.py
@@ -1,10 +1,8 @@
 #!/usr/bin/env python3
 # coding: utf-8
 """
-Tests for the API.
-Huge TODO: clean this up, maybe? There's plenty of room for optimization, but
-speed isn't too important here since these are only tests, and they never take
-more than about a second. The code has loads of repetitions, though...
+Tests for the API portions of the code.
+For authentication pages, see tests/test_auth.py.
 """
 import pytest
 
@@ -13,326 +11,602 @@
 import drywall.objects
 from test_objects import generate_objects
 
+#
+# Helper functions and structures
+#
+
 @pytest.fixture
 def client():
     drywall.app.config['TESTING'] = True
     with drywall.app.test_client() as client:
         yield client
 
+class PregeneratedObjects:
+	"""Contains pregenerated objects and their IDs."""
+	pregenerated_objects = generate_objects()
+	dicts = pregenerated_objects[0]
+	ids = pregenerated_objects[1]
+	db_dicts = pregenerated_objects[2]
+
 class PostedObjectDicts:
 	"""
 	Contains posted object dicts for testing DELETE endpoints
 	"""
 	items = {}
 
-def endpoint_test(client, method, endpoint, data=None, object_type=None,
-                  ignore_data=False, ignore_object_type=False, response_code=None,
-                  use_post_values=None):
+def _posted_id(object_type):
 	"""
-	Performs some basic tests on the given endpoint.
+	Returns the object ID for an object with the provided object type from
+	posted objects.
+	"""
+	return PostedObjectDicts.items[object_type]['id']
 
-	Arguments:
-	  - client (required) - provided by the client pytest fixture
-	  - method (required) - HTTP method to use on the endpoint
-	  - endpoint (required) - endpoint
-	  - data - Data to provide, in case of a POST/PATCH method
-	  - object_type - Dictionary with object types for each placeholder
-	  - ignore_data - Ignore data, for POST requests that do not require data
-	  - ignore_object_type - Endpoint is not object-type sensitive
-	  - response_code - Alternative response code
-	  - use_post_values - Whether to use objects created by POST tests or
-	                      pregenerated ones
-
-	FOR DEVELOPERS: if adding a feature that copies data to another var, please
-	use data.copy() instead of just data, because just using data will not copy
-	it and instead manipulate whatever's provided in data manually (which can
-	be something from PregeneratedObjects, in which case you'll break all other
-	tests)
+def _posted_dict(object_type):
+	"""
+	Returns the object dict for an object with the provided object type from
+	posted objects.
+	"""
+	return PostedObjectDicts.items[object_type]
+
+def _pregenerated_id(object_type):
+	"""
+	Returns the object ID for an object with the provided object type from
+	pregenerated objects.
+	"""
+	return PregeneratedObjects.ids[object_type]
+
+def _pregenerated_dict(object_type):
+	"""
+	Returns the object dict for an object with the provided object type from
+	pregenerated objects.
+
+	Note that this will return the item as it appears in the database,
+	so it MUST NOT be used for POST requests - it should be used in GET
+	requests instead. For the original generated dict see
+	_pregenerated_example_dict.
+
+	This distinction is important because generated objects in the database
+	have values of unique keys changed from the ones that were generated
+	initially.
+	"""
+	return PregeneratedObjects.db_dicts[object_type]
+
+def _pregenerated_example_dict(object_type):
+	"""
+	Returns the example object dict for an object with the provided object type
+	from pregenerated objects.
+
+	Note that this will return the item as it was originally generated, and
+	should only be used for POST requests; for the dict of the object as it
+	appears in the database, see _pregenerated_dict.
+
+	This distinction is important because generated objects in the database
+	have values of unique keys changed from the ones that were generated
+	initially.
+	"""
+	return PregeneratedObjects.dicts[object_type]
+
+#
+# Endpoint helper functions
+#
+
+def _fill_placeholder_in_endpoint(endpoint, object_type_dict, use_posted=False):
 	"""
-	# Set value for use_post_values
-	if not use_post_values:
-		if method == "POST":
-			use_post_values = False
+	Fills the placeholder in the endpoint automatically.
+
+	Returns the filled endpoint.
+	"""
+	placeholder = None
+	object_type = None
+	if object_type_dict:
+		placeholder = list(object_type_dict.keys())[0]
+		object_type = list(object_type_dict.values())[0]
+
+	# Get target ID
+	if use_posted:
+		if object_type:
+			target_id = _posted_id(object_type)
 		else:
-			use_post_values = True
-	# Set default response code
-	if not response_code:
-		if method == "POST":
-			response_code = "201 CREATED"
+			target_id = _posted_id('message')
+	else:
+		if object_type:
+			target_id = _pregenerated_id(object_type)
 		else:
-			response_code = "200 OK"
-
-	# Set default action - client.get, client.post, client.patch, client.delete
-	if method == "GET":
-		action = client.get
-	elif method == "PATCH":
-		if not data:
-			raise KeyError("No data provided")
-		action = client.patch
-	elif method == "POST":
-		if not data and not ignore_data:
-			raise KeyError("No data provided")
-		action = client.post
-	elif method == "DELETE":
-		action = client.delete
+			# Some endpoints, like '/api/v1/id/<id>', can take any object type.
+			# In this case, get a random object to fill it in; we leave the
+			# provided object_type variable set to None, as it affects the
+			# behavior of _endpoint_sanity_checks later on.
+			target_id = _pregenerated_id('message')
+
+	# Fill in placeholder
+	if placeholder:
+		if object_type:
+			_endpoint = endpoint.replace(placeholder, target_id)
+		else:
+			_endpoint = endpoint.replace(placeholder, target_id)
 	else:
-		raise TypeError("Incorrect method (note methods MUST be all-caps)")
+		_endpoint = endpoint
+
+	return _endpoint
 
-	print("  * Testing " + method + " " + endpoint)
+def _endpoint_sanity_checks(_endpoint, method, action, object_type_dict=None):
+	"""
+	Performs basic checks applicable to every endpoint.
 
-	if data and object_type and len(list(object_type.keys())) == 2:
-		if 'parent_conference' in data:
-			data['parent_conference'] = PostedObjectDicts.items['conference']['id']
-		elif list(object_type.values())[-1] == "invite":
-			data['conference_id'] = PostedObjectDicts.items['conference']['id']
+	Arguments:
+	  - endpoint (required) - the endpoint to test
+	  - method (required) - GET/POST/PATCH/DELETE; must match action
+	  - action (required) - flask_client.get/post/patch/delete
+	  - object_type_dict - the object type to test, as a dict with a key-value
+	                       pair representing the endpoint placeholder and
+	                       object type, or in the case of POST endpoints just
+	                       the object_type
+	"""
+	placeholder = None
+	object_type = None
+	if object_type_dict:
+		placeholder = list(object_type_dict.keys())[0]
+		object_type = list(object_type_dict.values())[0]
 
-	# Go over object types and fill in the placeholders in the endpoint
-	# The object_type variable is a dict containing pairs of placeholder strings
-	# and object types to be assigned to them. POST requests set the placeholder
-	# to None for the object they're sending.
-	object_types = list()
+	# Try nonexistent ID (should return 404)
+	if placeholder:
+		print("       -> Fake ID test")
+		missing_endpoint = _endpoint.replace(placeholder, 'fakeid')
+		assert action(missing_endpoint).status == "404 NOT FOUND"
+
+	# Try object with wrong object type (should return 400)
 	if object_type:
-		original_endpoint = endpoint
-		if use_post_values:
-			for object in object_type.items():
-				if object[1] in PostedObjectDicts.items:
-					if len(list(object_type.keys())) == 2:
-						if 'parent_conference' in PostedObjectDicts.items[object[1]]:
-							PostedObjectDicts.items[object[1]]['parent_conference'] = PostedObjectDicts.items['conference']['id']
-						elif object[1] == "invite":
-							PostedObjectDicts.items[object[1]]['conference_id'] = PostedObjectDicts.items['conference']['id']
-					object_types.append(PostedObjectDicts.items[object[1]])
-					endpoint = endpoint.replace(object[0], PostedObjectDicts.items[object[1]]['id'])
-				else:
-					print("    ! WARN: using PregeneratedObjects as fallback")
-					object_types.append(PregeneratedObjects.dicts[object[1]])
-					if object[0]:
-						endpoint = endpoint.replace(object[0], PregeneratedObjects.ids[object[1]])
-			print("    -> " + endpoint)
+		print("       -> Wrong object type test")
+		if placeholder:
+			if object_type == 'message':
+				wrong_endpoint = _endpoint.replace(placeholder, _pregenerated_id('channel'))
+			else:
+				wrong_endpoint = _endpoint.replace(placeholder, _pregenerated_id('message'))
+		else:
+			wrong_endpoint = _endpoint
+		if method == 'POST' or method == 'PATCH':
+			if object_type == 'message':
+				wrong_object = _pregenerated_dict('channel')
+			else:
+				wrong_object = _pregenerated_dict('message')
+			assert action(wrong_endpoint, json=wrong_object).\
+					status == "400 BAD REQUEST"
+		else:
+			assert action(wrong_endpoint).status == "400 BAD REQUEST"
+
+#
+# General test shorthands
+#
+
+def endpoint_get(flask_client, endpoint, object_type=None, use_posted=False):
+	"""
+	Performs tests on a GET endpoint.
+
+	Arguments:
+	  - flask_client (required) - provided by the client pytest fixture
+	  - endpoint (required) - the endpoint to test
+	  - object_type - dict containing one key and value: the key is the
+	                  placeholder string, the value is the object type.
+	                  If the endpoint accepts any object type, the object
+	                  type must be set to None.
+	  - use_posted - whether to use a posted object or a pregenerated one.
+	"""
+	print("  * Testing: GET " + endpoint)
+
+	get = flask_client.get
+
+	# Fill in placeholder
+	original_endpoint = endpoint
+	endpoint = _fill_placeholder_in_endpoint(original_endpoint, object_type,
+											use_posted=use_posted)
+
+	# Get the object dict that should be returned
+	_object_type = list(object_type.values())[0]
+	if use_posted:
+		if _object_type:
+			expected_object_dict = _posted_dict(_object_type)
 		else:
-			for object in object_type.items():
-				object_types.append(PregeneratedObjects.dicts[object[1]])
-				if object[0]:
-					endpoint = endpoint.replace(object[0], PregeneratedObjects.ids[object[1]])
-			print("    -> " + endpoint)
-
-	# Perform the API endpoint call
-	if data and not ignore_data:
-		action_result = action(endpoint, json=data)
+			expected_object_dict = _posted_dict('message')
 	else:
-		action_result = action(endpoint)
+		if _object_type:
+			expected_object_dict = _pregenerated_dict(_object_type)
+		else:
+			expected_object_dict = _pregenerated_dict('message')
 
-	# Test the results
-	action_result_json = action_result.get_json()
+	# First, test the endpoint in question:
+	result = get(endpoint)
 	try:
-		assert action_result.status == response_code
+		assert result.status == "200 OK"
+		assert result.json == expected_object_dict
 	except AssertionError as e:
-		print("    !!! " + method + " " + endpoint + " failed!")
-		if data:
-			print("    - Data:\n  " + str(data))
-		print("    - Result:\n  " + str(action_result_json))
+		print("Filled endpoint: " + endpoint)
+		print("Data:\n" + str(result.json))
 		raise e
 
-	if method == "GET" and object_type:
-		if action_result_json['object_type'] in PostedObjectDicts.items.keys():
-			assert action_result_json == PostedObjectDicts.items[action_result_json['object_type']]
-		else:
-			assert action_result_json == object_types[-1]
-	if method == "POST" and data and not ignore_data and "id" in data:
-		date_keys = []
-		object_class = drywall.objects.get_object_class_by_type(data['object_type'])
-		if 'datetime' in object_class.key_types.values():
-			for key, value in object_class.key_types.items():
-				if value == 'datetime':
-					date_keys.append(key)
-		assert action_result_json['id'] != data['id']
-		safe_data = data.copy()
-		safe_data['id'] = action_result_json.get('id')
-		if date_keys:
-			for key in date_keys:
-				if key in safe_data:
-					assert action_result_json[key] != data[key]
-					safe_data[key] = action_result_json[key]
-		assert action_result_json == safe_data
-		PostedObjectDicts.items[action_result_json['object_type']] = action_result_json
-	if method == "PATCH":
-		assert action_result_json != data
-		if object_type:
-			assert action_result_json != object_types[-1]
-			for key in data.keys():
-				assert action_result_json[key] == data[key]
-	if method == "DELETE":
-		assert client.get('/api/v1/id/' + action_result_json['id']).status == "404 NOT FOUND"
-	if data and not ignore_data:
-		action_no_data = action(endpoint)
-		assert action_no_data.status == "400 BAD REQUEST"
-
-	# Try fake ID
-	if method == "GET" or method == "PATCH" or method == "DELETE":
+	# Then, perform the usual checks, such as 404, wrong object type, etc.
+	_endpoint_sanity_checks(original_endpoint, 'GET', get, object_type)
+
+def endpoint_post(flask_client, endpoint, object_type=None, data=None,
+					posts_object=True):
+	"""
+	Performs tests on a POST endpoint.
+
+	Arguments:
+	  - flask_client (required) - provided by the client pytest fixture
+	  - endpoint (required) - the endpoint to test
+	  - object_type - object type to test; None if the endpoint accepts
+	                  any object type
+	  - data - the data to send in the request
+	  - posts_object - whether the resulting object should be added
+	                   to PostedObjectDicts
+	"""
+	print("  * Testing: POST " + endpoint)
+
+	post = flask_client.post
+
+	if not data:
 		if object_type:
-			object_types = list()
-			endpoint = original_endpoint
-			for object in object_type.items():
-				object_types.append(PregeneratedObjects.dicts[object[1]])
-				if object[0]:
-					endpoint = endpoint.replace(object[0], 'fakeid')
-			if not endpoint == original_endpoint:
-				print("       -> Fake ID test: " + endpoint)
-				action_result = action(endpoint, json=data)
-				assert action_result.status == "404 NOT FOUND"
-
-	# Try wrong object type
-	if object_type and not ignore_object_type and list(object_type.keys())[0] == list(object_type.keys())[-1]:
-		correct_object_type = list(object_type.values())[0]
-		if correct_object_type == "message":
-			wrong_type = "channel"
+			data = _pregenerated_example_dict(object_type)
+		else:
+			data = _pregenerated_example_dict('message')
+
+	result = post(endpoint, json=data)
+	try:
+		assert result.status == "201 CREATED"
+		assert result.json['id'] != data['id']
+	except AssertionError as e:
+		print("Filled endpoint: " + endpoint)
+		print("Returned data:\n" + str(result.json))
+		raise e
+
+	if posts_object:
+		PostedObjectDicts.items[result.json['object_type']] = result.json
+
+	# Then, perform the usual checks, such as 404, wrong object type, etc.
+	_endpoint_sanity_checks(endpoint, 'POST', post, {None: object_type})
+
+def endpoint_patch(flask_client, endpoint, object_type=None, data=None):
+	"""
+	Performs tests on a PATCH endpoint.
+
+	Arguments:
+	  - flask_client (required) - provided by the client pytest fixture
+	  - endpoint (required) - the endpoint to test
+	  - object_type - dict containing one key and value: the key is the
+	                  placeholder string, the value is the object type.
+	                  If the endpoint accepts any object type, the object
+	                  type must be set to None.
+	  - data - the data to send in the request
+	"""
+	print("  * Testing: PATCH " + endpoint)
+
+	_object_type = list(object_type.values())[0]
+	if _object_type:
+		original_object_dict = _posted_dict(_object_type)
+	else:
+		original_object_dict = _posted_dict('message')
+
+	# Fill in placeholder
+	original_endpoint = endpoint
+	endpoint = _fill_placeholder_in_endpoint(original_endpoint, object_type,
+											use_posted=True)
+
+	patch = flask_client.patch
+
+	if not data:
+		data = {}
+
+	try:
+		result = patch(endpoint, json=data)
+		assert result.status == "200 OK"
+		assert result.json['id'] == original_object_dict['id']
+		assert result.json != original_object_dict
+		for key in data.keys():
+			assert result.json[key] == data[key]
+	except AssertionError as e:
+		print("Filled endpoint: " + endpoint)
+		print("Returned data:\n" + str(result.json))
+		raise e
+
+	# Then, perform the usual checks, such as 404, wrong object type, etc.
+	_endpoint_sanity_checks(original_endpoint, 'PATCH', patch, object_type)
+
+def endpoint_report(flask_client, endpoint, object_type):
+	"""
+	Performs tests on a report endpoint.
+
+	Arguments:
+	  - flask_client (required) - provided by the client pytest fixture
+	  - endpoint (required) - the endpoint to test
+	  - object_type - dict containing one key and value: the key is the
+	                  placeholder string, the value is the object type.
+	                  If the endpoint accepts any object type, the object
+	                  type must be set to None.
+	"""
+	print("  * Testing: (REPORT) POST " + endpoint)
+
+	report = flask_client.post
+
+	# Fill in placeholder
+	original_endpoint = endpoint
+	endpoint = _fill_placeholder_in_endpoint(original_endpoint, object_type,
+											use_posted=True)
+
+	# Get report dict
+	data = _pregenerated_dict('report')
+
+	# Perform the action
+	result = report(endpoint, json=data)
+	try:
+		assert result.status == "201 CREATED"
+		assert result.json['id'] != data['id']
+		assert result.json['object_type'] == 'report'
+	except AssertionError as e:
+		print("Filled endpoint: " + endpoint)
+		print("Returned data:\n" + str(result.json))
+		raise e
+
+	# Then, perform the usual checks, such as 404, wrong object type, etc.
+	_endpoint_sanity_checks(original_endpoint, 'POST', report, object_type)
+
+def endpoint_delete(flask_client, endpoint, object_type=None):
+	"""
+	Performs tests on a DELETE endpoint.
+
+	Arguments:
+	  - flask_client (required) - provided by the client pytest fixture
+	  - endpoint (required) - the endpoint to test
+	  - object_type - dict containing one key and value: the key is the
+	                  placeholder string, the value is the object type.
+	                  If the endpoint accepts any object type, the object
+	                  type must be set to None.
+	"""
+	print("  * Testing: DELETE " + endpoint)
+
+	delete = flask_client.delete
+
+	# Fill in placeholder
+	original_endpoint = endpoint
+	endpoint = _fill_placeholder_in_endpoint(original_endpoint, object_type,
+											use_posted=True)
+
+	# Get deleted object ID
+	_object_type = list(object_type.values())[0]
+	if _object_type:
+		target_id = _posted_id(_object_type)
+	else:
+		target_id = _posted_id('message')
+
+	# First, test the endpoint in question:
+	result = delete(endpoint)
+	try:
+		assert result.status == "200 OK"
+	except AssertionError as e:
+		print("Filled endpoint: " + endpoint)
+		print("Returned data:\n" + str(result.json))
+		raise e
+
+	assert flask_client.get('/api/v1/id/' + target_id).status == "404 NOT FOUND"
+
+	if _object_type:
+		del PostedObjectDicts.items[_object_type]
+	else:
+		del PostedObjectDicts.items['message']
+
+	# Then, perform the usual checks, such as 404, wrong object type, etc.
+	_endpoint_sanity_checks(original_endpoint, 'DELETE', delete, object_type)
+
+#
+# Conference children test callers
+#
+
+def endpoint_conference_child(flask_client, method, endpoint, object_type, data=None):
+	"""
+	Performs tests on conference child endpoints.
+
+	Arguments:
+	  - flask_client (required) - provided by the client pytest fixture
+	  - method (required) - the method to test
+	  - endpoint (required) - the endpoint to test
+	  - object_type - dict containing one key and value: the key is the
+	                  placeholder string, the value is the object type.
+	                  If the endpoint accepts any object type, the object
+	                  type must be set to None.
+	  - data - data for PATCH request
+	"""
+	if method == 'GET':
+		action = flask_client.get
+	elif method == 'POST' or method == 'REPORT':
+		action = flask_client.post
+	elif method == 'PATCH':
+		action = flask_client.patch
+	elif method == 'DELETE':
+		action = flask_client.delete
+
+	# First, replace the <conference_id> placeholder with the actual conference
+	# The conference is created with a POST call prior to the start of these
+	# tests, so we get the conference ID from posted objects
+	conference_id = _posted_id('conference')
+	original_endpoint = endpoint
+	final_endpoint = original_endpoint.replace('<conference_id>', conference_id)
+	# This will be the endpoint we send off to the final test function.
+
+	if method != 'POST':
+		# Test fake conference ID
+		_placeholder = list(object_type.keys())[0]
+		_object_type = list(object_type.values())[0]
+		if _object_type:
+			target_id = _posted_id(_object_type)
 		else:
-			wrong_type = "message"
-		endpoint = original_endpoint
-		if method == "PATCH" or method == "POST":
-			wrong_type_data = PregeneratedObjects.dicts[wrong_type]
-		if list(object_type.keys())[0] is not None:
-			endpoint = endpoint.replace(list(object_type.keys())[0], PregeneratedObjects.dicts[wrong_type]['id'])
-		print("       -> Wrong object type test: " + endpoint)
-		if method == "PATCH" or method == "POST":
-			action_result = action(endpoint, json=wrong_type_data)
+			target_id = _posted_id('message')
+		fake_conference_endpoint = original_endpoint.replace('<conference_id>', 'fakeid')
+		fake_conference_endpoint = fake_conference_endpoint.replace(_placeholder, target_id)
+		fake_conference_action = action(fake_conference_endpoint)
+		assert fake_conference_action.status == "404 NOT FOUND"
+
+		# Test object belonging to another conference
+		if _object_type:
+			target_id = _pregenerated_id(_object_type)
 		else:
-			action_result = action(endpoint)
-		assert action_result.status == "400 BAD REQUEST"
-	# I had some working code for this, similar to the fake ID handler, but
-	# it'd need to be modified to work with endpoints with two ID values, as
-	# without modifications it will return 404 since the parent ID does not
-	# exist. Also, fake ID will have to be fixed now, but it returns the
-	# correct values nonetheless so... uhhh... it's ok I guess?
+			target_id = _pregenerated_id('message')
+		wrong_parent_endpoint = final_endpoint.replace(_placeholder, target_id)
+		assert action(wrong_parent_endpoint).status == "400 BAD REQUEST"
 
-	# TODO: check/assert the error codes
+	# Call the actual test function
+	if method == 'GET':
+		endpoint_get(flask_client, final_endpoint, object_type, use_posted=True)
+	elif method == 'POST':
+		endpoint_post(flask_client, final_endpoint, object_type)
+	elif method == 'PATCH':
+		endpoint_patch(flask_client, final_endpoint, object_type, data)
+	elif method == 'REPORT':
+		endpoint_report(flask_client, final_endpoint, object_type)
+	elif method == 'DELETE':
+		endpoint_delete(flask_client, final_endpoint, object_type)
 
-class PregeneratedObjects:
-	"""Contains pregenerated objects and their IDs."""
-	pregenerated_objects = generate_objects()
-	dicts = pregenerated_objects[0]
-	ids = pregenerated_objects[1]
+#
+# pytest tests
+#
+
+def test_special_endpoints(client):
+	"""Test /api/v1/instance and /api/v1/stash/request."""
+	# /api/v1/instance
+	print("  * Testing: GET /api/v1/instance")
+	instance_result = client.get('/api/v1/instance')
+	assert instance_result.status == "200 OK"
+	assert instance_result.json == drywall.db.get_object_as_dict_by_id('0')
+
+	# /api/v1/stash/request
+	print("  * Testing: POST /api/v1/stash/request")
+	stash_data = {"id_list": [_pregenerated_id('account'), _pregenerated_id('message')]}
+	stash_result = client.post('/api/v1/stash/request', json=stash_data)
+	assert stash_result.status == "200 OK"
+	assert stash_result.json == {
+		"type": "stash",
+		"id_list": [_pregenerated_id('account'), _pregenerated_id('message')],
+		_pregenerated_id('account'): _pregenerated_dict('account'),
+		_pregenerated_id('message'): _pregenerated_dict('message')
+	}
 
 def test_api_id(client):
 	"""Test API endpoints related to objects and IDs."""
-	endpoint_test(client, 'GET', '/api/v1/instance')
-	endpoint_test(client, 'POST', '/api/v1/id', data=PregeneratedObjects.dicts['message'],
-	              object_type={None: "message"}, ignore_object_type=True)
-	endpoint_test(client, 'GET', '/api/v1/id/<id>', object_type={"<id>": "message"},
-	              ignore_object_type=True)
-	endpoint_test(client, 'PATCH', '/api/v1/id/<id>', data={"content": "new_content"},
-	              object_type={"<id>": "message"}, ignore_object_type=True)
-	endpoint_test(client, 'DELETE', '/api/v1/id/<id>', object_type={"<id>": "message"},
-	              ignore_object_type=True)
-	endpoint_test(client, 'POST', '/api/v1/stash/request',
-	              data={"id_list": [PregeneratedObjects.ids['message'],
-	                                PregeneratedObjects.ids['account']]}, response_code="200 OK")
+	endpoint_post(client, '/api/v1/id', None)
+	endpoint_get(client, '/api/v1/id/<id>', {'<id>': None})
+	endpoint_patch(client, '/api/v1/id/<id>', {'<id>': None}, {"content": "new_content"})
+	endpoint_report(client, '/api/v1/id/<id>/report', {'<id>': None})
+	endpoint_delete(client, '/api/v1/id/<id>', {'<id>': None})
 
 def test_api_accounts(client):
 	"""Test API endpoints related to accounts."""
-	endpoint_test(client, 'POST', '/api/v1/accounts', PregeneratedObjects.dicts['account'],
-	              object_type={None: "account"})
-	endpoint_test(client, 'GET', '/api/v1/accounts/<account_id>', object_type={"<account_id>": "account"})
-	endpoint_test(client, 'PATCH', '/api/v1/accounts/<account_id>', data={"bio": "new_bio"},
-	              object_type={"<account_id>": "account"})
-	endpoint_test(client, 'DELETE', '/api/v1/accounts/<account_id>', object_type={"<account_id>": "account"})
+	endpoint_post(client, '/api/v1/accounts', 'account')
+	endpoint_get(client, '/api/v1/accounts/<account_id>', {"<account_id>": "account"})
+	endpoint_patch(client, '/api/v1/accounts/<account_id>', {"<account_id>": "account"}, {"bio": "new_bio"})
+	endpoint_report(client, '/api/v1/accounts/<account_id>/report', {"<account_id>": "account"})
+	endpoint_delete(client, '/api/v1/accounts/<account_id>', {"<account_id>": "account"})
 
 def test_api_conferences(client):
 	"""Test API endpoints related to conferences."""
-	endpoint_test(client, 'POST', '/api/v1/conferences', PregeneratedObjects.dicts['conference'],
-	              object_type={None: "conference"})
-	endpoint_test(client, 'GET', '/api/v1/conferences/<conference_id>', object_type={"<conference_id>": "conference"})
-	endpoint_test(client, 'PATCH', '/api/v1/conferences/<conference_id>', data={"name": "new_name"},
-	              object_type={"<conference_id>": "conference"})
-	endpoint_test(client, 'DELETE', '/api/v1/conferences/<conference_id>', object_type={"<conference_id>": "conference"})
+	endpoint_post(client, '/api/v1/conferences', 'conference')
+	endpoint_get(client, '/api/v1/conferences/<conference_id>', {"<conference_id>": "conference"})
+	endpoint_patch(client, '/api/v1/conferences/<conference_id>', {"<conference_id>": "conference"}, {"name": "new_name"})
+	endpoint_report(client, '/api/v1/conferences/<conference_id>/report', {"<conference_id>": "conference"})
+	endpoint_delete(client, '/api/v1/conferences/<conference_id>', {"<conference_id>": "conference"})
 
+def test_api_conferences_children(client):
+	"""Test API endpoints related to conference children."""
 	# Recreate conference for conference child tests
-	endpoint_test(client, 'POST', '/api/v1/conferences', PostedObjectDicts.items['conference'],
-	              object_type={None: "conference"})
-
-	endpoint_test(client, 'POST', '/api/v1/conferences/<conference_id>/members', PregeneratedObjects.dicts['conference_member'],
-	              object_type={"<conference_id>": "conference", None: "conference_member"},
-	              use_post_values=True)
-	endpoint_test(client, 'GET', '/api/v1/conferences/<conference_id>/members/<member_id>',
-	              object_type={"<conference_id>": "conference", "<member_id>": "conference_member"}, use_post_values=True)
-	endpoint_test(client, 'PATCH', '/api/v1/conferences/<conference_id>/members/<member_id>',
-	              data={"nickname": "new_nickname"},
-	              object_type={"<conference_id>": "conference", "<member_id>": "conference_member"})
-	endpoint_test(client, 'DELETE', '/api/v1/conferences/<conference_id>/members/<member_id>',
-	              object_type={"<conference_id>": "conference", "<member_id>": "conference_member"})
-
-	endpoint_test(client, 'POST', '/api/v1/conferences/<conference_id>/channels', PregeneratedObjects.dicts['channel'],
-	              object_type={"<conference_id>": "conference", None: "channel"},
-	              use_post_values=True)
-	endpoint_test(client, 'GET', '/api/v1/conferences/<conference_id>/channels/<channel_id>',
-	              object_type={"<conference_id>": "conference", "<channel_id>": "channel"})
-	endpoint_test(client, 'PATCH', '/api/v1/conferences/<conference_id>/channels/<channel_id>',
-	              data={"name": "new_name"},
-	              object_type={"<conference_id>": "conference", "<channel_id>": "channel"})
-	endpoint_test(client, 'DELETE', '/api/v1/conferences/<conference_id>/channels/<channel_id>',
-	              object_type={"<conference_id>": "conference", "<channel_id>": "channel"})
-
-	endpoint_test(client, 'POST', '/api/v1/conferences/<conference_id>/invites', PregeneratedObjects.dicts['invite'],
-	              object_type={"<conference_id>": "conference", None: "invite"})
-	endpoint_test(client, 'GET', '/api/v1/conferences/<conference_id>/invites/<invite_id>',
-	              object_type={"<conference_id>": "conference", "<invite_id>": "invite"})
-	endpoint_test(client, 'PATCH', '/api/v1/conferences/<conference_id>/invites/<invite_id>',
-	              data={"code": "new_code"},
-	              object_type={"<conference_id>": "conference", "<invite_id>": "invite"})
-	endpoint_test(client, 'DELETE', '/api/v1/conferences/<conference_id>/invites/<invite_id>',
-	              object_type={"<conference_id>": "conference", "<invite_id>": "invite"})
-
-	endpoint_test(client, 'POST', '/api/v1/conferences/<conference_id>/roles', PregeneratedObjects.dicts['role'],
-	              object_type={"<conference_id>": "conference", None: "role"})
-	endpoint_test(client, 'GET', '/api/v1/conferences/<conference_id>/roles/<role_id>',
-	              object_type={"<conference_id>": "conference", "<role_id>": "role"})
-	endpoint_test(client, 'PATCH', '/api/v1/conferences/<conference_id>/roles/<role_id>',
-	              data={"name": "new_name"},
-	              object_type={"<conference_id>": "conference", "<role_id>": "role"})
-	endpoint_test(client, 'DELETE', '/api/v1/conferences/<conference_id>/roles/<role_id>',
-	              object_type={"<conference_id>": "conference", "<role_id>": "role"})
+	endpoint_post(client, '/api/v1/conferences', 'conference')
+
+	# Conference members
+	endpoint_conference_child(client, 'POST', '/api/v1/conferences/<conference_id>/members',
+							object_type="conference_member")
+	endpoint_conference_child(client, 'GET', '/api/v1/conferences/<conference_id>/members/<member_id>',
+							object_type={"<member_id>": "conference_member"})
+	endpoint_conference_child(client, 'PATCH', '/api/v1/conferences/<conference_id>/members/<member_id>',
+							object_type={"<member_id>": "conference_member"},
+							data={"nickname": "new_nickname"})
+	endpoint_conference_child(client, 'REPORT', '/api/v1/conferences/<conference_id>/members/<member_id>/report',
+							object_type={"<member_id>": "conference_member"})
+	endpoint_conference_child(client, 'DELETE', '/api/v1/conferences/<conference_id>/members/<member_id>',
+							object_type={"<member_id>": "conference_member"})
+
+	# Conference channels
+	endpoint_conference_child(client, 'POST', '/api/v1/conferences/<conference_id>/channels',
+							object_type="channel")
+	endpoint_conference_child(client, 'GET', '/api/v1/conferences/<conference_id>/channels/<channel_id>',
+							object_type={"<channel_id>": "channel"})
+	endpoint_conference_child(client, 'PATCH', '/api/v1/conferences/<conference_id>/channels/<channel_id>',
+							object_type={"<channel_id>": "channel"},
+							data={"name": "new_name"})
+	endpoint_conference_child(client, 'REPORT', '/api/v1/conferences/<conference_id>/channels/<channel_id>/report',
+							object_type={"<channel_id>": "channel"})
+	endpoint_conference_child(client, 'DELETE', '/api/v1/conferences/<conference_id>/channels/<channel_id>',
+							object_type={"<channel_id>": "channel"})
+
+	# Conference invites
+	endpoint_conference_child(client, 'POST', '/api/v1/conferences/<conference_id>/invites',
+							object_type="invite")
+	endpoint_conference_child(client, 'GET', '/api/v1/conferences/<conference_id>/invites/<invite_id>',
+							object_type={"<invite_id>": "invite"})
+	endpoint_conference_child(client, 'PATCH', '/api/v1/conferences/<conference_id>/invites/<invite_id>',
+							object_type={"<invite_id>": "invite"},
+							data={"code": "new_code"})
+	endpoint_conference_child(client, 'REPORT', '/api/v1/conferences/<conference_id>/invites/<invite_id>/report',
+							object_type={"<invite_id>": "invite"})
+	endpoint_conference_child(client, 'DELETE', '/api/v1/conferences/<conference_id>/invites/<invite_id>',
+							object_type={"<invite_id>": "invite"})
+
+	# Conference roles
+	endpoint_conference_child(client, 'POST', '/api/v1/conferences/<conference_id>/roles',
+							object_type="role")
+	endpoint_conference_child(client, 'GET', '/api/v1/conferences/<conference_id>/roles/<role_id>',
+							object_type={"<role_id>": "role"})
+	endpoint_conference_child(client, 'PATCH', '/api/v1/conferences/<conference_id>/roles/<role_id>',
+							object_type={"<role_id>": "role"},
+							data={"name": "new_name"})
+	endpoint_conference_child(client, 'REPORT', '/api/v1/conferences/<conference_id>/roles/<role_id>/report',
+							object_type={"<role_id>": "role"})
+	endpoint_conference_child(client, 'DELETE', '/api/v1/conferences/<conference_id>/roles/<role_id>',
+							object_type={"<role_id>": "role"})
+
+	# Delete the conference
+	endpoint_delete(client, '/api/v1/conferences/<conference_id>', {"<conference_id>": "conference"})
 
 def test_api_channels(client):
 	"""Test API endpoints related to channels."""
-	endpoint_test(client, 'POST', '/api/v1/channels', PregeneratedObjects.dicts['channel'],
-	              object_type={None: "channel"})
-	endpoint_test(client, 'GET', '/api/v1/channels/<channel_id>', object_type={"<channel_id>": "channel"})
-	endpoint_test(client, 'PATCH', '/api/v1/channels/<channel_id>', data={"name": "new_name"},
-	              object_type={"<channel_id>": "channel"})
-	endpoint_test(client, 'DELETE', '/api/v1/channels/<channel_id>', object_type={"<channel_id>": "channel"})
+	endpoint_post(client, '/api/v1/channels', 'channel')
+	endpoint_get(client, '/api/v1/channels/<channel_id>', {"<channel_id>": "channel"})
+	endpoint_patch(client, '/api/v1/channels/<channel_id>', {"<channel_id>": "channel"}, {"name": "new_name"})
+	endpoint_report(client, '/api/v1/channels/<channel_id>/report', {"<channel_id>": "channel"})
+	endpoint_delete(client, '/api/v1/channels/<channel_id>', {"<channel_id>": "channel"})
 
 def test_api_messages(client):
 	"""Test API endpoints related to messages."""
-	endpoint_test(client, 'POST', '/api/v1/messages', PregeneratedObjects.dicts['message'],
-	              object_type={None: "message"})
-	endpoint_test(client, 'GET', '/api/v1/messages/<message_id>', object_type={"<message_id>": "message"})
-	endpoint_test(client, 'PATCH', '/api/v1/messages/<message_id>', data={"content": "new_content"},
-	              object_type={"<message_id>": "message"})
-	endpoint_test(client, 'DELETE', '/api/v1/messages/<message_id>', object_type={"<message_id>": "message"})
+	endpoint_post(client, '/api/v1/messages', 'message')
+	endpoint_get(client, '/api/v1/messages/<message_id>', {"<message_id>": "message"})
+	endpoint_patch(client, '/api/v1/messages/<message_id>', {"<message_id>": "message"}, {"content": "new_content"})
+	endpoint_report(client, '/api/v1/messages/<message_id>/report', {"<message_id>": "message"})
+	endpoint_delete(client, '/api/v1/messages/<message_id>', {"<message_id>": "message"})
 
 def test_api_invites(client):
 	"""Test API endpoints related to invites."""
-	endpoint_test(client, 'POST', '/api/v1/invites', PregeneratedObjects.dicts['invite'],
-	              object_type={None: "invite"})
-	endpoint_test(client, 'GET', '/api/v1/invites/<invite_id>', object_type={"<invite_id>": "invite"})
-	endpoint_test(client, 'PATCH', '/api/v1/invites/<invite_id>', data={"code": "new_code"},
-	              object_type={"<invite_id>": "invite"})
-	endpoint_test(client, 'DELETE', '/api/v1/invites/<invite_id>', object_type={"<invite_id>": "invite"})
+	endpoint_post(client, '/api/v1/invites', 'invite')
+	endpoint_get(client, '/api/v1/invites/<invite_id>', {"<invite_id>": "invite"})
+	endpoint_patch(client, '/api/v1/invites/<invite_id>', {"<invite_id>": "invite"}, {"code": "new_code"})
+	endpoint_report(client, '/api/v1/invites/<invite_id>/report', {"<invite_id>": "invite"})
+	endpoint_delete(client, '/api/v1/invites/<invite_id>', {"<invite_id>": "invite"})
 
 def test_api_roles(client):
 	"""Test API endpoints related to roles."""
-	endpoint_test(client, 'POST', '/api/v1/roles', PregeneratedObjects.dicts['role'],
-	              object_type={None: "role"})
-	endpoint_test(client, 'GET', '/api/v1/roles/<role_id>', object_type={"<role_id>": "role"})
-	endpoint_test(client, 'PATCH', '/api/v1/roles/<role_id>', data={"name": "new_name"},
-	              object_type={"<role_id>": "role"})
-	endpoint_test(client, 'DELETE', '/api/v1/roles/<role_id>', object_type={"<role_id>": "role"})
+	endpoint_post(client, '/api/v1/roles', 'role')
+	endpoint_get(client, '/api/v1/roles/<role_id>', {"<role_id>": "role"})
+	endpoint_patch(client, '/api/v1/roles/<role_id>', {"<role_id>": "role"}, {"name": "new_name"})
+	endpoint_report(client, '/api/v1/roles/<role_id>/report', {"<role_id>": "role"})
+	endpoint_delete(client, '/api/v1/roles/<role_id>', {"<role_id>": "role"})
 
 def test_api_reports(client):
 	"""Test API endpoints related to reports."""
-	endpoint_test(client, 'POST', '/api/v1/reports', PregeneratedObjects.dicts['report'],
-	              object_type={None: "report"})
-	endpoint_test(client, 'GET', '/api/v1/reports/<report_id>', object_type={"<report_id>": "report"})
-	endpoint_test(client, 'PATCH', '/api/v1/reports/<report_id>', data={"note": "new_note"},
-	              object_type={"<report_id>": "report"})
-	endpoint_test(client, 'DELETE', '/api/v1/reports/<report_id>', object_type={"<report_id>": "report"})
+	endpoint_post(client, '/api/v1/reports', 'report')
+	endpoint_get(client, '/api/v1/reports/<report_id>', {"<report_id>": "report"})
+	endpoint_patch(client, '/api/v1/reports/<report_id>', {"<report_id>": "report"}, {"note": "new_note"})
+	endpoint_delete(client, '/api/v1/reports/<report_id>', {"<report_id>": "report"})
diff --git a/tests/test_auth.py b/tests/test_auth.py
new file mode 100644
index 0000000..093a5a3
--- /dev/null
+++ b/tests/test_auth.py
@@ -0,0 +1,190 @@
+# coding: utf-8
+"""
+Contains tests and helper functions for basic authentication functions:
+creating/editing/deleting accounts and OAuth clients.
+"""
+from drywall import auth
+from drywall import auth_oauth
+from drywall import db
+
+import time
+
+def generate_user():
+	"""
+	Creates a user and returns a list with its ID, password and
+	a dict containing the values of the resulting User object.
+	"""
+	# Generate a random username, e-mail, password
+	username = str(time.time()).replace('.', '')
+	email = str(time.time()) + "@example.com"
+	password = "testUser"
+
+	# Create the user
+	user_dict = auth.register_user(username, email, password)
+	return [user_dict['id'], password, user_dict]
+
+def generate_clients():
+	"""
+	Creates two clients for testing purposes: an user app and a bot.
+
+	Returns a dict with two items:
+		- app: dict containing values for a client with userapp type
+		- bot: dict containing values for a client with userapp type
+		- owner: User object that owns the clients
+	"""
+	clients = {}
+
+	# Generate the owner
+	clients['owner'] = generate_user()[2]
+
+	# Create the user app
+	app_dict = {
+		"name": "TestUserApp",
+		"description": "This is my test application!",
+		"type": "userapp",
+		"uri": "https://punctum.im/callback",
+		"scopes": ["account:read", "account:write"],
+		"owner_id": clients['owner']['id'],
+		"owner_account_id": clients['owner']['account_id']
+	}
+	app = auth_oauth.create_client(app_dict)
+	clients['app'] = app
+
+	# Create the bot
+	bot_dict = {
+		"name": "TestBot",
+		"description": "This is my test bot!",
+		"type": "bot",
+		"uri": "https://punctum.im/callback",
+		"scopes": ["channel:read", "channel:write"],
+		"owner_id": clients['owner']['id'],
+		"owner_account_id": clients['owner']['account_id']
+	}
+	bot = auth_oauth.create_client(bot_dict)
+	clients['bot'] = bot
+
+	return clients
+
+def test_auth_users():
+	"""
+	Test user functions: creating new users, editing user information, etc.
+	"""
+	# Call the usual generate_user function
+	_user = generate_user()
+	_user_id = _user[0]
+	_user_dict = _user[2]
+	_user_account_id = _user_dict['account_id']
+
+	# Check if the generated user actually exists
+	assert auth.get_user_by_id(_user_id) is not None
+	assert db.get_object_as_dict_by_id(_user_account_id) is not None
+
+	# Check if the user can be found using builtin functions
+	assert auth.get_user_by_email(_user_dict['email']) == _user_dict
+	assert auth.get_user_by_account_id(_user_account_id) == _user_dict
+
+	# Make sure the newly-created user isn't an admin
+	assert auth.is_account_admin(_user_account_id) is False
+
+	# Try to edit user
+	new_user_dict = _user[2].copy()
+	new_user_dict['username'] = 'NewTestUsername'
+	new_user_dict['email'] = 'newtestemail@example.com'
+	edited_user_dict = auth.edit_user(_user_id, new_user_dict)
+
+	assert edited_user_dict is not None
+	assert edited_user_dict != _user_dict
+	edited_user = auth.get_user_by_id(_user_id)
+	assert edited_user is not None
+	assert edited_user['username'] == 'NewTestUsername'
+	assert edited_user['email'] == 'newtestemail@example.com'
+
+	# User editing failcases
+	new_user_dict['email'] = 'broken email'
+	try:
+		auth.edit_user(_user_id, new_user_dict)
+	except ValueError:
+		pass
+	else:
+		raise Exception("edit_user didn't raise an error with broken e-mail!")
+
+	# Try to delete user
+	# auth.remove_user(_user_id)
+	# assert auth.get_user_by_id(_user_id) is None
+
+def test_auth_accounts_web():
+	"""
+	Test web authentication pages: signing up, logging in and
+	logging out.
+	"""
+	pass
+
+def test_oauth_clients():
+	"""Test client creation, editing, deletion, etc."""
+	# Call the usual generate_clients function
+	_clients = generate_clients()
+
+	_app_dict = _clients["app"]
+	_app_id = _app_dict['client_id']
+
+	_bot_dict = _clients["bot"]
+	_bot_id = _bot_dict['client_id']
+	_bot_account_id = _bot_dict['bot_account_id']
+
+	_owner_user_id = _clients['owner']['id']
+
+	# Make sure the created clients are available in get_clients_owned_by_user
+	owned_clients = auth_oauth.get_clients_owned_by_user(_owner_user_id)
+	assert _app_dict in owned_clients
+	assert _bot_dict in owned_clients
+
+	# Try to update client
+	update_dict = {"name": "NewTestClient", "scopes": ["account:read", "channel:write"]}
+	edit_result = auth_oauth.edit_client(_bot_id, update_dict)
+	assert edit_result != _bot_dict
+	assert auth_oauth.get_client_by_id(_bot_id)['client_metadata']['client_name'] == 'NewTestClient'
+	assert auth_oauth.get_client_by_id(_bot_id)['client_metadata']['scope'] == "account:read channel:write"
+	assert db.get_object_as_dict_by_id(_bot_account_id)['username'] == 'NewTestClient'
+
+	# Try to create/edit bot with invalid name
+	try:
+		bot_dict = {
+			"name": "$.invalid.bot.name$",
+			"type": "bot",
+			"uri": "https://punctum.im/callback",
+			"scopes": ["channel:read", "channel:write"],
+			"owner_id": _clients['owner']['id'],
+			"owner_account_id": _clients['owner']['account_id']
+		}
+		auth_oauth.create_client(bot_dict)
+		auth_oauth.edit_client(_bot_id, {"name": "$.invalid.bot.name$"})
+	except ValueError:
+		pass
+	else:
+		raise Exception("Invalid bot name test failed!")
+
+	# Test some fail cases
+	assert auth_oauth.get_client_by_id('fakeid') is None
+	assert auth_oauth.edit_client('fakeid', {"name": "FakeTestClient"}) is None
+	assert auth_oauth.remove_client('fakeid') is None
+
+	# Generate custom user for further tests
+	_new_user_id = generate_user()[0]
+
+	# Make sure user has no pre-owned clients or assigned tokens
+	assert not auth_oauth.get_clients_owned_by_user(_new_user_id)
+	assert not auth_oauth.get_auth_tokens_for_user(_new_user_id)
+
+	# Test access permissions
+	assert auth_oauth.get_client_if_owned_by_user(_new_user_id, 'fakeid') is None
+	assert auth_oauth.get_client_if_owned_by_user(_new_user_id, _bot_id) is False
+	assert auth_oauth.get_client_if_owned_by_user(_owner_user_id, _bot_id) is not False
+
+	# Clean up
+	# auth.remove_user(_new_user_id)
+
+	# Try to remove clients
+	auth_oauth.remove_client(_app_id)
+	assert auth_oauth.get_client_by_id(_app_id) is None
+	auth_oauth.remove_client(_bot_id)
+	assert auth_oauth.get_client_by_id(_bot_id) is None
diff --git a/tests/test_db.py b/tests/test_db.py
index 29efd72..651d6c0 100644
--- a/tests/test_db.py
+++ b/tests/test_db.py
@@ -43,25 +43,3 @@ def test_db():
 
 	db.delete_object(test_object_id)
 	assert not db.id_taken(test_object_id)
-
-	test_user = {"username": "test", "email": "mail@example.com", "password": "password", "account_id": PregeneratedObjects.dicts['account']['id']}
-	db.add_user(test_user)
-	assert db.get_user_by_email("mail@example.com")
-
-	"""
-	try:
-		db.add_user(test_user)
-		raise Exception
-	except ValueError:
-		pass
-
-	test_user["username"] = "test2"
-	try:
-		db.add_user(test_user)
-		raise Exception
-	except ValueError:
-		pass
-	"""
-
-	# db.remove_user("mail@example.com")
-	# assert db.get_user_by_email("mail@example.com") == None
diff --git a/tests/test_objects.py b/tests/test_objects.py
index 40a35cf..8b52890 100755
--- a/tests/test_objects.py
+++ b/tests/test_objects.py
@@ -208,6 +208,23 @@ def test_object_init_failcases():
 
 def test_object_specific_failcases():
 	"""Test some object-specific constraints"""
+	# Account: try to create account with invalid username
+	valid_account_dict = GeneratedObjects.objects['account'].copy()
+	valid_account_dict['username'] = '_Valid-Username_'
+	try:
+		objects.Account(valid_account_dict)
+	except KeyError:
+		raise Exception("Failed to create account with valid username!")
+
+	invalid_account_dict = GeneratedObjects.objects['account'].copy()
+	invalid_account_dict['username'] = '$.invalid.username.$'
+	try:
+		objects.Account(invalid_account_dict)
+	except KeyError:
+		pass
+	else:
+		raise Exception("Account with invalid username test failed!")
+
 	# Channel: try to create a channel without a parent conference
 	channel_dict = GeneratedObjects.objects['channel'].copy()
 	channel_dict.pop('parent_conference')
diff --git a/tests/test_runner.sh b/tests/test_runner.sh
index d0a84db..45344b6 100755
--- a/tests/test_runner.sh
+++ b/tests/test_runner.sh
@@ -72,13 +72,13 @@ if [ $do_test ]; then
 	# We use the names "drywall_testdb" and "drywall_test" to avoid conflicts
 	# with existing databases
 
-	if [ ! $no_db_setup ]; then
+	if [ -z $no_db_setup ]; then
 		sudo -Hu postgres psql <<- EOF
 		DROP DATABASE IF EXISTS drywall_testdb;
 		DROP USER IF EXISTS drywall_test;
 		CREATE DATABASE drywall_testdb;
 		CREATE USER drywall_test WITH PASSWORD 'drywall_test';
-		GRANT ALL PRIVLEGES ON DATABASE drywall_testdb TO drywall_test;
+		GRANT ALL PRIVILEGES ON DATABASE drywall_testdb TO drywall_test;
 		EOF
 	fi
 
@@ -114,7 +114,7 @@ if [ $do_test ]; then
 		coverage report
 	fi
 
-	if [ ! $no_db_setup ]; then
+	if [ -z $no_db_setup ]; then
 		if [ $keep_db ]; then
 			echo -e '\033[33m!!! Keeping test database.\033[0m'
 			echo -e '\033[33m!!! Note that it will be wiped on next test run!\033[0m'
diff --git a/utils/alchemify.py b/utils/alchemify.py
index 3ae3ae1..5460aeb 100755
--- a/utils/alchemify.py
+++ b/utils/alchemify.py
@@ -67,7 +67,10 @@ def is_id(object_properties, key):
 	if object_properties['key_types'][key] == "id":
 		id_key_type = object_properties['id_key_types'][key]
 		if id_key_type == 'any':
-			return "ForeignKey('objects.id')"
+			if object_properties['object_type'] == 'report' and key == 'target':
+				return "ForeignKey('objects.id', ondelete='CASCADE')"
+			else:
+				return "ForeignKey('objects.id')"
 		else:
 			return "ForeignKey('" + id_key_type + ".id')"
 	return ""