Compare revisions

328caf00 · 98fe5690 · 98fe5690 · 98fe5690 · 98fe5690 · 98fe5690
--- a/tests/test_services.py
+++ b/tests/test_services.py
-import datetime
-import unittest
-from flask import url_for
-# These imports are required, because otherwise we get circular imports?!
-from uffd import user
-from utils import dump, UffdTestCase
-class TestServices(UffdTestCase):
-	def setUpApp(self):
-		self.app.config['SERVICES'] = [
-			{
-				'title': 'Service Title',
-				'subtitle': 'Service Subtitle',
-				'description': 'Short description of the service as plain text',
-				'url': 'https://example.com/',
-				'logo_url': '/static/fairy-dust-color.png',
-				'required_group': 'users',
-				'permission_levels': [
-					{'name': 'Moderator', 'required_group': 'moderators'},
-					{'name': 'Admin', 'required_group': 'uffd_admin'},
-				],
-				'confidential': True,
-				'groups': [
-					{'name': 'Group "crew_crew"', 'required_group': 'users'},
-					{'name': 'Group "crew_logistik"', 'required_group': 'uffd_admin'},
-				],
-				'infos': [
-					{'title': 'Documentation', 'html': '<p>Some information about the service as html</p>', 'required_group': 'users'},
-				],
-				'links': [
-					{'title': 'Link to an external site', 'url': '#', 'required_group': 'users'},
-				],
-			},
-			{
-				'title': 'Minimal Service Title',
-			}
-		]
-		self.app.config['SERVICES_PUBLIC'] = True
-	def test_index(self):
-		r = self.client.get(path=url_for('services.index'))
-		dump('services_index_public', r)
-		self.assertEqual(r.status_code, 200)
-		self.assertNotIn(b'https://example.com/', r.data)
-		self.login_as('user')
-		r = self.client.get(path=url_for('services.index'))
-		dump('services_index', r)
-		self.assertEqual(r.status_code, 200)
-		self.assertIn(b'https://example.com/', r.data)
--- a/tests/test_tasks.py
+++ b/tests/test_tasks.py
+import unittest
+from flask import Flask
+from flask_sqlalchemy import SQLAlchemy
+from uffd.tasks import CleanupTask
+class TestCleanupTask(unittest.TestCase):
+	def test(self):
+		app = Flask(__name__)
+		app.testing = True
+		app.debug = True
+		app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:///:memory:'
+		db = SQLAlchemy(app)
+		cleanup_task = CleanupTask()
+		@cleanup_task.delete_by_attribute('delete_me')
+		class TestModel(db.Model):
+			id = db.Column(db.Integer(), primary_key=True, autoincrement=True)
+			delete_me = db.Column(db.Boolean(), default=False, nullable=False)
+		with app.test_request_context():
+			db.create_all()
+			db.session.add(TestModel(delete_me=True))
+			db.session.add(TestModel(delete_me=True))
+			db.session.add(TestModel(delete_me=True))
+			db.session.add(TestModel(delete_me=False))
+			db.session.add(TestModel(delete_me=False))
+			db.session.commit()
+			db.session.expire_all()
+			self.assertEqual(TestModel.query.count(), 5)
+		with app.test_request_context():
+			cleanup_task.run()
+			db.session.commit()
+			db.session.expire_all()
+		with app.test_request_context():
+			self.assertEqual(TestModel.query.count(), 2)
--- a/tests/test_utils.py
+++ b/tests/test_utils.py
+from uffd.utils import nopad_b32decode, nopad_b32encode, nopad_urlsafe_b64decode, nopad_urlsafe_b64encode
+from tests.utils import UffdTestCase
+class TestUtils(UffdTestCase):
+	def test_nopad_b32(self):
+		for n in range(0, 32):
+			self.assertEqual(b'X'*n, nopad_b32decode(nopad_b32encode(b'X'*n)))
+	def test_nopad_b64(self):
+		for n in range(0, 32):
+			self.assertEqual(b'X'*n, nopad_urlsafe_b64decode(nopad_urlsafe_b64encode(b'X'*n)))
--- a/tests/utils.py
+++ b/tests/utils.py
 import os
-import tempfile
-import shutil
 import unittest
-from flask import request, url_for
+from flask import url_for
+import flask_migrate
 from uffd import create_app, db
-from uffd.user.models import User, Group
+from uffd.models import User, Group, Mail
-from uffd.mail.models import Mail
 def dump(basename, resp):
 	basename = basename.replace('.', '_').replace('/', '_')
@@ -22,42 +20,12 @@ def dump(basename, resp):
 def db_flush():
 	db.session.rollback()
-	db.session = db.create_scoped_session()
+	db.session.expire_all()
-class UffdTestCase(unittest.TestCase):
+class AppTestCase(unittest.TestCase):
-	def get_user(self):
+	DISABLE_SQLITE_MEMORY_DB = False
-		return User.query.filter_by(loginname='testuser').one_or_none()
-	def get_admin(self):
-		return User.query.filter_by(loginname='testadmin').one_or_none()
-	def get_admin_group(self):
-		return Group.query.filter_by(name='uffd_admin').one_or_none()
-	def get_access_group(self):
-		return Group.query.filter_by(name='uffd_access').one_or_none()
-	def get_users_group(self):
-		return Group.query.filter_by(name='users').one_or_none()
-	def get_mail(self):
-		return Mail.query.filter_by(uid='test').one_or_none()
-	def login_as(self, user, ref=None):
-		loginname = None
-		password = None
-		if user == 'user':
-			loginname = 'testuser'
-			password = 'userpassword'
-		elif user == 'admin':
-			loginname = 'testadmin'
-			password = 'adminpassword'
-		return self.client.post(path=url_for('session.login', ref=ref),
-								data={'loginname': loginname, 'password': password}, follow_redirects=True)
 	def setUp(self):
-		# It would be far better to create a minimal app here, but since the
-		# session module depends on almost everything else, that is not really feasable
 		config = {
 			'TESTING': True,
 			'DEBUG': True,
@@ -65,12 +33,78 @@ class UffdTestCase(unittest.TestCase):
 			'SECRET_KEY': 'DEBUGKEY',
 			'MAIL_SKIP_SEND': True,
 			'SELF_SIGNUP': True,
-			'ENABLE_INVITE': True,
-			'ENABLE_PASSWORDRESET': True
 		}
+		if self.DISABLE_SQLITE_MEMORY_DB:
+			try:
+				os.remove('/tmp/uffd-migration-test-db.sqlite3')
+			except FileNotFoundError:
+				pass
+			config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:////tmp/uffd-migration-test-db.sqlite3'
+		if os.environ.get('TEST_WITH_MYSQL'):
+			import MySQLdb
+			conn = MySQLdb.connect(user='root', unix_socket='/var/run/mysqld/mysqld.sock')
+			cur = conn.cursor()
+			try:
+				cur.execute('DROP DATABASE uffd_tests')
+			except:
+				pass
+			cur.execute('CREATE DATABASE uffd_tests CHARACTER SET utf8mb4 COLLATE utf8mb4_nopad_bin')
+			conn.close()
+			config['SQLALCHEMY_DATABASE_URI'] = 'mysql+mysqldb:///uffd_tests?unix_socket=/var/run/mysqld/mysqld.sock&charset=utf8mb4'
 		self.app = create_app(config)
 		self.setUpApp()
+	def setUpApp(self):
+		pass
+	def tearDown(self):
+		if self.DISABLE_SQLITE_MEMORY_DB:
+			try:
+				os.remove('/tmp/uffd-migration-test-db.sqlite3')
+			except FileNotFoundError:
+				pass
+class MigrationTestCase(AppTestCase):
+	DISABLE_SQLITE_MEMORY_DB = True
+	REVISION = None
+	def setUp(self):
+		super().setUp()
+		self.request_context = self.app.test_request_context()
+		self.request_context.__enter__()
+		if self.REVISION:
+			flask_migrate.upgrade(revision=self.REVISION + '-1')
+	def upgrade(self, revision='+1'):
+		db.session.commit()
+		flask_migrate.upgrade(revision=revision)
+	def downgrade(self, revision='-1'):
+		db.session.commit()
+		flask_migrate.downgrade(revision=revision)
+	def tearDown(self):
+		db.session.rollback()
+		self.request_context.__exit__(None, None, None)
+		super().tearDown()
+class ModelTestCase(AppTestCase):
+	def setUp(self):
+		super().setUp()
+		self.request_context = self.app.test_request_context()
+		self.request_context.__enter__()
+		db.create_all()
+		db.session.commit()
+	def tearDown(self):
+		db.session.rollback()
+		self.request_context.__exit__(None, None, None)
+		super().tearDown()
+class UffdTestCase(AppTestCase):
+	def setUp(self):
+		super().setUp()
 		self.client = self.app.test_client()
 		self.client.__enter__()
 		# Just do some request so that we can use url_for
@@ -83,16 +117,51 @@ class UffdTestCase(unittest.TestCase):
 		db.session.add(access_group)
 		admin_group = Group(name='uffd_admin', unix_gid=20003, description='Admin access to uffd')
 		db.session.add(admin_group)
-		testuser = User(loginname='testuser', unix_uid=10000, password='userpassword', mail='test@example.com', displayname='Test User', groups=[users_group, access_group])
+		testuser = User(loginname='testuser', unix_uid=10000, password='userpassword', primary_email_address='test@example.com', displayname='Test User', groups=[users_group, access_group])
 		db.session.add(testuser)
-		testadmin = User(loginname='testadmin', unix_uid=10001, password='adminpassword', mail='admin@example.com', displayname='Test Admin', groups=[users_group, access_group, admin_group])
+		testadmin = User(loginname='testadmin', unix_uid=10001, password='adminpassword', primary_email_address='admin@example.com', displayname='Test Admin', groups=[users_group, access_group, admin_group])
 		db.session.add(testadmin)
 		testmail = Mail(uid='test', receivers=['test1@example.com', 'test2@example.com'], destinations=['testuser@mail.example.com'])
 		db.session.add(testmail)
+		self.setUpDB()
 		db.session.commit()
-	def setUpApp(self):
+	def setUpDB(self):
 		pass
 	def tearDown(self):
 		self.client.__exit__(None, None, None)
+		super().tearDown()
+	def get_user(self):
+		return User.query.filter_by(loginname='testuser').one_or_none()
+	def get_admin(self):
+		return User.query.filter_by(loginname='testadmin').one_or_none()
+	def get_admin_group(self):
+		return Group.query.filter_by(name='uffd_admin').one_or_none()
+	def get_access_group(self):
+		return Group.query.filter_by(name='uffd_access').one_or_none()
+	def get_users_group(self):
+		return Group.query.filter_by(name='users').one_or_none()
+	def get_mail(self):
+		return Mail.query.filter_by(uid='test').one_or_none()
+	def login_as(self, user, ref=None):
+		# It is currently not possible to login while already logged in as another
+		# user, so make sure that we are not logged in first
+		self.client.get(path=url_for('session.logout'), follow_redirects=True)
+		loginname = None
+		password = None
+		if user == 'user':
+			loginname = 'testuser'
+			password = 'userpassword'
+		elif user == 'admin':
+			loginname = 'testadmin'
+			password = 'adminpassword'
+		return self.client.post(path=url_for('session.login', ref=ref),
+								data={'loginname': loginname, 'password': password}, follow_redirects=True)
--- a/tests/views/__init__.py
+++ b/tests/views/__init__.py
--- a/tests/views/test_api.py
+++ b/tests/views/test_api.py
+import base64
+from flask import url_for
+from uffd.password_hash import PlaintextPasswordHash
+from uffd.remailer import remailer
+from uffd.database import db
+from uffd.models import APIClient, Service, User, RemailerMode
+from uffd.views.api import apikey_required
+from tests.utils import UffdTestCase, db_flush
+def basic_auth(username, password):
+	return ('Authorization', 'Basic ' + base64.b64encode(f'{username}:{password}'.encode()).decode())
+class TestAPIAuth(UffdTestCase):
+	def setUpApp(self):
+		@self.app.route('/test/endpoint1')
+		@apikey_required()
+		def testendpoint1():
+			return 'OK', 200
+		@self.app.route('/test/endpoint2')
+		@apikey_required('users')
+		def testendpoint2():
+			return 'OK', 200
+	def setUpDB(self):
+		db.session.add(APIClient(service=Service(name='test1'), auth_username='test1', auth_password='testsecret1', perm_users=True))
+		db.session.add(APIClient(service=Service(name='test2'), auth_username='test2', auth_password='testsecret2'))
+	def test_basic(self):
+		r = self.client.get(path=url_for('testendpoint1'), headers=[basic_auth('test1', 'testsecret1')], follow_redirects=True)
+		self.assertEqual(r.status_code, 200)
+		r = self.client.get(path=url_for('testendpoint2'), headers=[basic_auth('test1', 'testsecret1')], follow_redirects=True)
+		self.assertEqual(r.status_code, 200)
+		r = self.client.get(path=url_for('testendpoint1'), headers=[basic_auth('test2', 'testsecret2')], follow_redirects=True)
+		self.assertEqual(r.status_code, 200)
+	def test_basic_invalid_credentials(self):
+		r = self.client.get(path=url_for('testendpoint1'), headers=[basic_auth('test-none', 'testsecret-none')], follow_redirects=True)
+		self.assertEqual(r.status_code, 401)
+		r = self.client.get(path=url_for('testendpoint1'), headers=[basic_auth('test1', 'testsecret2')], follow_redirects=True)
+		self.assertEqual(r.status_code, 401)
+	def test_basic_missing_scope(self):
+		r = self.client.get(path=url_for('testendpoint2'), headers=[basic_auth('test2', 'testsecret2')], follow_redirects=True)
+		self.assertEqual(r.status_code, 403)
+	def test_no_auth(self):
+		r = self.client.get(path=url_for('testendpoint1'), follow_redirects=True)
+		self.assertEqual(r.status_code, 401)
+	def test_auth_password_rehash(self):
+		db.session.add(APIClient(service=Service(name='test3'), auth_username='test3', auth_password=PlaintextPasswordHash.from_password('testsecret3')))
+		db.session.commit()
+		self.assertIsInstance(APIClient.query.filter_by(auth_username='test3').one().auth_password, PlaintextPasswordHash)
+		r = self.client.get(path=url_for('testendpoint1'), headers=[basic_auth('test3', 'testsecret3')], follow_redirects=True)
+		self.assertEqual(r.status_code, 200)
+		api_client = APIClient.query.filter_by(auth_username='test3').one()
+		self.assertIsInstance(api_client.auth_password, APIClient.auth_password.method_cls)
+		self.assertTrue(api_client.auth_password.verify('testsecret3'))
+		r = self.client.get(path=url_for('testendpoint1'), headers=[basic_auth('test3', 'testsecret3')], follow_redirects=True)
+		self.assertEqual(r.status_code, 200)
+class TestAPIGetmails(UffdTestCase):
+	def setUpDB(self):
+		db.session.add(APIClient(service=Service(name='test'), auth_username='test', auth_password='test', perm_mail_aliases=True))
+	def test_lookup(self):
+		r = self.client.get(path=url_for('api.getmails', receive_address='test1@example.com'), headers=[basic_auth('test', 'test')], follow_redirects=True)
+		self.assertEqual(r.status_code, 200)
+		self.assertEqual(r.json, [{'name': 'test', 'receive_addresses': ['test1@example.com', 'test2@example.com'], 'destination_addresses': ['testuser@mail.example.com']}])
+		r = self.client.get(path=url_for('api.getmails', receive_address='test2@example.com'), headers=[basic_auth('test', 'test')], follow_redirects=True)
+		self.assertEqual(r.status_code, 200)
+		self.assertEqual(r.json, [{'name': 'test', 'receive_addresses': ['test1@example.com', 'test2@example.com'], 'destination_addresses': ['testuser@mail.example.com']}])
+	def test_lookup_notfound(self):
+		r = self.client.get(path=url_for('api.getmails', receive_address='test3@example.com'), headers=[basic_auth('test', 'test')], follow_redirects=True)
+		self.assertEqual(r.status_code, 200)
+		self.assertEqual(r.json, [])
+	def test_lookup_case_folding(self):
+		r = self.client.get(path=url_for('api.getmails', receive_address='Test1@example.com'), headers=[basic_auth('test', 'test')], follow_redirects=True)
+		self.assertEqual(r.status_code, 200)
+		self.assertEqual(r.json, [{'name': 'test', 'receive_addresses': ['test1@example.com', 'test2@example.com'], 'destination_addresses': ['testuser@mail.example.com']}])
+class TestAPICheckPassword(UffdTestCase):
+	def setUpDB(self):
+		db.session.add(APIClient(service=Service(name='test'), auth_username='test', auth_password='test', perm_checkpassword=True))
+	def test(self):
+		r = self.client.post(path=url_for('api.checkpassword'), data={'loginname': 'testuser', 'password': 'userpassword'}, headers=[basic_auth('test', 'test')])
+		self.assertEqual(r.status_code, 200)
+		self.assertEqual(r.json['loginname'], 'testuser')
+	def test_password_rehash(self):
+		self.get_user().password = PlaintextPasswordHash.from_password('userpassword')
+		db.session.commit()
+		self.assertIsInstance(self.get_user().password, PlaintextPasswordHash)
+		db_flush()
+		r = self.client.post(path=url_for('api.checkpassword'), data={'loginname': 'testuser', 'password': 'userpassword'}, headers=[basic_auth('test', 'test')])
+		self.assertEqual(r.status_code, 200)
+		self.assertEqual(r.json['loginname'], 'testuser')
+		self.assertIsInstance(self.get_user().password, User.password.method_cls)
+		self.assertTrue(self.get_user().password.verify('userpassword'))
+	def test_wrong_password(self):
+		r = self.client.post(path=url_for('api.checkpassword'), data={'loginname': 'testuser', 'password': 'wrongpassword'}, headers=[basic_auth('test', 'test')])
+		self.assertEqual(r.status_code, 200)
+		self.assertEqual(r.json, None)
+	def test_deactivated(self):
+		self.get_user().is_deactivated = True
+		db.session.commit()
+		r = self.client.post(path=url_for('api.checkpassword'), data={'loginname': 'testuser', 'password': 'userpassword'}, headers=[basic_auth('test', 'test')])
+		self.assertEqual(r.status_code, 200)
+		self.assertEqual(r.json, None)
+class TestAPIGetusers(UffdTestCase):
+	def setUpDB(self):
+		db.session.add(APIClient(service=Service(name='test'), auth_username='test', auth_password='test', perm_users=True))
+	def fix_result(self, result):
+		result.sort(key=lambda user: user['id'])
+		for user in result:
+			user['groups'].sort()
+		return result
+	def test_all(self):
+		r = self.client.get(path=url_for('api.getusers'), headers=[basic_auth('test', 'test')], follow_redirects=True)
+		self.assertEqual(r.status_code, 200)
+		self.assertEqual(self.fix_result(r.json), [
+			{'displayname': 'Test User', 'email': 'test@example.com', 'id': 10000, 'loginname': 'testuser', 'groups': ['uffd_access', 'users']},
+			{'displayname': 'Test Admin', 'email': 'admin@example.com', 'id': 10001, 'loginname': 'testadmin', 'groups': ['uffd_access', 'uffd_admin', 'users']}
+		])
+	def test_id(self):
+		r = self.client.get(path=url_for('api.getusers', id=10000), headers=[basic_auth('test', 'test')], follow_redirects=True)
+		self.assertEqual(r.status_code, 200)
+		self.assertEqual(self.fix_result(r.json), [
+			{'displayname': 'Test User', 'email': 'test@example.com', 'id': 10000, 'loginname': 'testuser', 'groups': ['uffd_access', 'users']},
+		])
+	def test_id_empty(self):
+		r = self.client.get(path=url_for('api.getusers', id=0), headers=[basic_auth('test', 'test')], follow_redirects=True)
+		self.assertEqual(r.status_code, 200)
+		self.assertEqual(r.json, [])
+	def test_with_remailer(self):
+		service = Service.query.filter_by(name='test').one()
+		service.remailer_mode = RemailerMode.ENABLED_V1
+		db.session.commit()
+		user = self.get_user()
+		self.app.config['REMAILER_DOMAIN'] = 'remailer.example.com'
+		r = self.client.get(path=url_for('api.getusers', id=10000), headers=[basic_auth('test', 'test')], follow_redirects=True)
+		self.assertEqual(r.status_code, 200)
+		service = Service.query.filter_by(name='test').one()
+		self.assertEqual(self.fix_result(r.json), [
+			{'displayname': 'Test User', 'email': remailer.build_v1_address(service.id, user.id), 'id': 10000, 'loginname': 'testuser', 'groups': ['uffd_access', 'users']},
+		])
+	def test_loginname(self):
+		r = self.client.get(path=url_for('api.getusers', loginname='testuser'), headers=[basic_auth('test', 'test')], follow_redirects=True)
+		self.assertEqual(r.status_code, 200)
+		self.assertEqual(self.fix_result(r.json), [
+			{'displayname': 'Test User', 'email': 'test@example.com', 'id': 10000, 'loginname': 'testuser', 'groups': ['uffd_access', 'users']},
+		])
+	def test_loginname_empty(self):
+		r = self.client.get(path=url_for('api.getusers', loginname='notauser'), headers=[basic_auth('test', 'test')], follow_redirects=True)
+		self.assertEqual(r.status_code, 200)
+		self.assertEqual(r.json, [])
+	def test_email(self):
+		r = self.client.get(path=url_for('api.getusers', email='admin@example.com'), headers=[basic_auth('test', 'test')], follow_redirects=True)
+		self.assertEqual(r.status_code, 200)
+		self.assertEqual(self.fix_result(r.json), [
+			{'displayname': 'Test Admin', 'email': 'admin@example.com', 'id': 10001, 'loginname': 'testadmin', 'groups': ['uffd_access', 'uffd_admin', 'users']}
+		])
+	def test_email_with_remailer(self):
+		service = Service.query.filter_by(name='test').one()
+		service.remailer_mode = RemailerMode.ENABLED_V1
+		db.session.commit()
+		user = self.get_admin()
+		self.app.config['REMAILER_DOMAIN'] = 'remailer.example.com'
+		r = self.client.get(path=url_for('api.getusers', email=remailer.build_v1_address(service.id, user.id)), headers=[basic_auth('test', 'test')], follow_redirects=True)
+		self.assertEqual(r.status_code, 200)
+		service = Service.query.filter_by(name='test').one()
+		self.assertEqual(self.fix_result(r.json), [
+			{'displayname': 'Test Admin', 'email': remailer.build_v1_address(service.id, user.id), 'id': 10001, 'loginname': 'testadmin', 'groups': ['uffd_access', 'uffd_admin', 'users']}
+		])
+	def test_email_empty(self):
+		r = self.client.get(path=url_for('api.getusers', email='foo@bar'), headers=[basic_auth('test', 'test')], follow_redirects=True)
+		self.assertEqual(r.status_code, 200)
+		self.assertEqual(r.json, [])
+	def test_group(self):
+		r = self.client.get(path=url_for('api.getusers', group='uffd_admin'), headers=[basic_auth('test', 'test')], follow_redirects=True)
+		self.assertEqual(r.status_code, 200)
+		self.assertEqual(self.fix_result(r.json), [
+			{'displayname': 'Test Admin', 'email': 'admin@example.com', 'id': 10001, 'loginname': 'testadmin', 'groups': ['uffd_access', 'uffd_admin', 'users']}
+		])
+	def test_group_empty(self):
+		r = self.client.get(path=url_for('api.getusers', group='notagroup'), headers=[basic_auth('test', 'test')], follow_redirects=True)
+		self.assertEqual(r.status_code, 200)
+		self.assertEqual(r.json, [])
+	def test_deactivated(self):
+		self.get_user().is_deactivated = True
+		db.session.commit()
+		r = self.client.get(path=url_for('api.getusers'), headers=[basic_auth('test', 'test')], follow_redirects=True)
+		self.assertEqual(r.status_code, 200)
+		self.assertEqual(self.fix_result(r.json), [
+			{'displayname': 'Test User', 'email': 'test@example.com', 'id': 10000, 'loginname': 'testuser', 'groups': ['uffd_access', 'users']},
+			{'displayname': 'Test Admin', 'email': 'admin@example.com', 'id': 10001, 'loginname': 'testadmin', 'groups': ['uffd_access', 'uffd_admin', 'users']}
+		])
+		Service.query.filter_by(name='test').first().hide_deactivated_users = True
+		db.session.commit()
+		r = self.client.get(path=url_for('api.getusers'), headers=[basic_auth('test', 'test')], follow_redirects=True)
+		self.assertEqual(r.status_code, 200)
+		self.assertEqual(self.fix_result(r.json), [
+			{'displayname': 'Test Admin', 'email': 'admin@example.com', 'id': 10001, 'loginname': 'testadmin', 'groups': ['uffd_access', 'uffd_admin', 'users']}
+		])
+class TestAPIGetgroups(UffdTestCase):
+	def setUpDB(self):
+		db.session.add(APIClient(service=Service(name='test'), auth_username='test', auth_password='test', perm_users=True))
+	def fix_result(self, result):
+		result.sort(key=lambda group: group['id'])
+		for group in result:
+			group['members'].sort()
+		return result
+	def test_all(self):
+		r = self.client.get(path=url_for('api.getgroups'), headers=[basic_auth('test', 'test')], follow_redirects=True)
+		self.assertEqual(r.status_code, 200)
+		self.assertEqual(self.fix_result(r.json), [
+			{'id': 20001, 'members': ['testadmin', 'testuser'], 'name': 'users'},
+			{'id': 20002, 'members': ['testadmin', 'testuser'], 'name': 'uffd_access'},
+			{'id': 20003, 'members': ['testadmin'], 'name': 'uffd_admin'}
+		])
+	def test_all_deactivated_members(self):
+		self.get_user().is_deactivated = True
+		db.session.commit()
+		r = self.client.get(path=url_for('api.getgroups'), headers=[basic_auth('test', 'test')], follow_redirects=True)
+		self.assertEqual(r.status_code, 200)
+		self.assertEqual(self.fix_result(r.json), [
+			{'id': 20001, 'members': ['testadmin', 'testuser'], 'name': 'users'},
+			{'id': 20002, 'members': ['testadmin', 'testuser'], 'name': 'uffd_access'},
+			{'id': 20003, 'members': ['testadmin'], 'name': 'uffd_admin'}
+		])
+		Service.query.filter_by(name='test').first().hide_deactivated_users = True
+		db.session.commit()
+		r = self.client.get(path=url_for('api.getgroups'), headers=[basic_auth('test', 'test')], follow_redirects=True)
+		self.assertEqual(r.status_code, 200)
+		self.assertEqual(self.fix_result(r.json), [
+			{'id': 20001, 'members': ['testadmin'], 'name': 'users'},
+			{'id': 20002, 'members': ['testadmin'], 'name': 'uffd_access'},
+			{'id': 20003, 'members': ['testadmin'], 'name': 'uffd_admin'}
+		])
+	def test_id(self):
+		r = self.client.get(path=url_for('api.getgroups', id=20002), headers=[basic_auth('test', 'test')], follow_redirects=True)
+		self.assertEqual(r.status_code, 200)
+		self.assertEqual(self.fix_result(r.json), [
+			{'id': 20002, 'members': ['testadmin', 'testuser'], 'name': 'uffd_access'},
+		])
+	def test_id_empty(self):
+		r = self.client.get(path=url_for('api.getgroups', id=0), headers=[basic_auth('test', 'test')], follow_redirects=True)
+		self.assertEqual(r.status_code, 200)
+		self.assertEqual(r.json, [])
+	def test_name(self):
+		r = self.client.get(path=url_for('api.getgroups', name='uffd_admin'), headers=[basic_auth('test', 'test')], follow_redirects=True)
+		self.assertEqual(r.status_code, 200)
+		self.assertEqual(self.fix_result(r.json), [
+			{'id': 20003, 'members': ['testadmin'], 'name': 'uffd_admin'}
+		])
+	def test_name_empty(self):
+		r = self.client.get(path=url_for('api.getgroups', name='notagroup'), headers=[basic_auth('test', 'test')], follow_redirects=True)
+		self.assertEqual(r.status_code, 200)
+		self.assertEqual(r.json, [])
+	def test_member(self):
+		r = self.client.get(path=url_for('api.getgroups', member='testuser'), headers=[basic_auth('test', 'test')], follow_redirects=True)
+		self.assertEqual(r.status_code, 200)
+		self.assertEqual(self.fix_result(r.json), [
+			{'id': 20001, 'members': ['testadmin', 'testuser'], 'name': 'users'},
+			{'id': 20002, 'members': ['testadmin', 'testuser'], 'name': 'uffd_access'},
+		])
+	def test_member_empty(self):
+		r = self.client.get(path=url_for('api.getgroups', member='notauser'), headers=[basic_auth('test', 'test')], follow_redirects=True)
+		self.assertEqual(r.status_code, 200)
+		self.assertEqual(r.json, [])
+	def test_member_deactivated(self):
+		self.get_user().is_deactivated = True
+		db.session.commit()
+		r = self.client.get(path=url_for('api.getgroups', member='testuser'), headers=[basic_auth('test', 'test')], follow_redirects=True)
+		self.assertEqual(r.status_code, 200)
+		self.assertEqual(self.fix_result(r.json), [
+			{'id': 20001, 'members': ['testadmin', 'testuser'], 'name': 'users'},
+			{'id': 20002, 'members': ['testadmin', 'testuser'], 'name': 'uffd_access'},
+		])
+		Service.query.filter_by(name='test').first().hide_deactivated_users = True
+		db.session.commit()
+		r = self.client.get(path=url_for('api.getgroups', member='testuser'), headers=[basic_auth('test', 'test')], follow_redirects=True)
+		self.assertEqual(r.status_code, 200)
+		self.assertEqual(self.fix_result(r.json), [])
+class TestAPIRemailerResolve(UffdTestCase):
+	def setUpDB(self):
+		db.session.add(APIClient(service=Service(name='test'), auth_username='test', auth_password='test', perm_remailer=True))
+		db.session.add(Service(name='service1'))
+		db.session.add(Service(name='service2', remailer_mode=RemailerMode.ENABLED_V1))
+	def test(self):
+		self.app.config['REMAILER_DOMAIN'] = 'remailer.example.com'
+		service = Service.query.filter_by(name='service2').one()
+		r = self.client.get(path=url_for('api.resolve_remailer', orig_address=remailer.build_v1_address(service.id, self.get_user().id)), headers=[basic_auth('test', 'test')], follow_redirects=True)
+		self.assertEqual(r.status_code, 200)
+		self.assertEqual(r.json, {'address': self.get_user().primary_email.address})
+		r = self.client.get(path=url_for('api.resolve_remailer', orig_address='foo@bar'), headers=[basic_auth('test', 'test')], follow_redirects=True)
+		self.assertEqual(r.status_code, 200)
+		self.assertEqual(r.json, {'address': None})
+	def test_invalid(self):
+		r = self.client.get(path=url_for('api.resolve_remailer', orig_address=['foo', 'bar']), headers=[basic_auth('test', 'test')], follow_redirects=True)
+		self.assertEqual(r.status_code, 400)
+		r = self.client.get(path=url_for('api.resolve_remailer'), headers=[basic_auth('test', 'test')], follow_redirects=True)
+		self.assertEqual(r.status_code, 400)
+		r = self.client.get(path=url_for('api.resolve_remailer', foo='bar'), headers=[basic_auth('test', 'test')], follow_redirects=True)
+		self.assertEqual(r.status_code, 400)
+class TestAPIMetricsPrometheus(UffdTestCase):
+	def setUpDB(self):
+		db.session.add(APIClient(service=Service(name='test'), auth_username='test', auth_password='test', perm_metrics=True))
+	def test(self):
+		r = self.client.get(path=url_for('api.prometheus_metrics'), headers=[basic_auth('test', 'test')])
+		self.assertEqual(r.status_code, 200)
+		self.assertTrue("uffd_version_info" in r.data.decode())
--- a/tests/test_invite.py
+++ b/tests/test_invite.py
-import unittest
 import datetime
-import time
-from flask import url_for, session, current_app
+from flask import url_for, current_app
-# These imports are required, because otherwise we get circular imports?!
+from uffd.database import db
-from uffd import user
+from uffd.models import Invite, InviteGrant, InviteSignup, Role, RoleGroup
-from uffd import create_app, db
+from tests.utils import dump, UffdTestCase, db_flush
-from uffd.invite.models import Invite, InviteGrant, InviteSignup
-from uffd.user.models import User, Group
-from uffd.role.models import Role, RoleGroup
-from uffd.session.views import login_get_user
-from utils import dump, UffdTestCase, db_flush
-class TestInviteModel(UffdTestCase):
-	def test_expire(self):
-		invite = Invite(valid_until=datetime.datetime.now() + datetime.timedelta(seconds=60), creator=self.get_admin())
-		self.assertFalse(invite.expired)
-		self.assertTrue(invite.active)
-		invite.valid_until = datetime.datetime.now() - datetime.timedelta(seconds=60)
-		self.assertTrue(invite.expired)
-		self.assertFalse(invite.active)
-	def test_void(self):
-		invite = Invite(valid_until=datetime.datetime.now() + datetime.timedelta(seconds=60), single_use=False, creator=self.get_admin())
-		self.assertFalse(invite.voided)
-		self.assertTrue(invite.active)
-		invite.used = True
-		self.assertFalse(invite.voided)
-		self.assertTrue(invite.active)
-		invite = Invite(valid_until=datetime.datetime.now() + datetime.timedelta(seconds=60), single_use=True, creator=self.get_admin())
-		self.assertFalse(invite.voided)
-		self.assertTrue(invite.active)
-		invite.used = True
-		self.assertTrue(invite.voided)
-		self.assertFalse(invite.active)
-	def test_permitted(self):
-		role = Role(name='testrole')
-		invite = Invite(valid_until=datetime.datetime.now() + datetime.timedelta(seconds=60), allow_signup=True, roles=[role])
-		self.assertFalse(invite.permitted)
-		self.assertFalse(invite.active)
-		invite.creator = self.get_admin()
-		self.assertTrue(invite.permitted)
-		self.assertTrue(invite.active)
-		invite.creator = self.get_user()
-		self.assertFalse(invite.permitted)
-		self.assertFalse(invite.active)
-		role.moderator_group = self.get_access_group()
-		current_app.config['ACL_SIGNUP_GROUP'] = 'uffd_access'
-		self.assertTrue(invite.permitted)
-		self.assertTrue(invite.active)
-		role.moderator_group = None
-		self.assertFalse(invite.permitted)
-		self.assertFalse(invite.active)
-		role.moderator_group = self.get_access_group()
-		current_app.config['ACL_SIGNUP_GROUP'] = 'uffd_admin'
-		self.assertFalse(invite.permitted)
-		self.assertFalse(invite.active)
-	def test_disable(self):
-		invite = Invite(valid_until=datetime.datetime.now() + datetime.timedelta(seconds=60), creator=self.get_admin())
-		self.assertTrue(invite.active)
-		invite.disable()
-		self.assertFalse(invite.active)
-	def test_reset_disabled(self):
-		invite = Invite(valid_until=datetime.datetime.now() + datetime.timedelta(seconds=60), creator=self.get_admin())
-		invite.disable()
-		self.assertFalse(invite.active)
-		invite.reset()
-		self.assertTrue(invite.active)
-	def test_reset_expired(self):
-		invite = Invite(valid_until=datetime.datetime.now() - datetime.timedelta(seconds=60), creator=self.get_admin())
-		self.assertFalse(invite.active)
-		invite.reset()
-		self.assertFalse(invite.active)
-	def test_reset_single_use(self):
-		invite = Invite(valid_until=datetime.datetime.now() + datetime.timedelta(seconds=60), single_use=False, creator=self.get_admin())
-		invite.used = True
-		invite.disable()
-		self.assertFalse(invite.active)
-		invite.reset()
-		self.assertTrue(invite.active)
-	def test_short_token(self):
-		invite = Invite(valid_until=datetime.datetime.now() + datetime.timedelta(seconds=60), creator=self.get_admin())
-		db.session.add(invite)
-		db.session.commit()
-		self.assertTrue(len(invite.short_token) <= len(invite.token)/3)
-class TestInviteGrantModel(UffdTestCase):
-	def test_success(self):
-		user = self.get_user()
-		group0 = self.get_access_group()
-		role0 = Role(name='baserole', groups={group0: RoleGroup(group=group0)})
-		db.session.add(role0)
-		user.roles.append(role0)
-		user.update_groups()
-		group1 = self.get_admin_group()
-		role1 = Role(name='testrole1', groups={group1: RoleGroup(group=group1)})
-		db.session.add(role1)
-		role2 = Role(name='testrole2')
-		db.session.add(role2)
-		invite = Invite(valid_until=datetime.datetime.now() + datetime.timedelta(seconds=60), roles=[role1, role2], creator=self.get_admin())
-		self.assertIn(role0, user.roles)
-		self.assertNotIn(role1, user.roles)
-		self.assertNotIn(role2, user.roles)
-		self.assertIn(group0, user.groups)
-		self.assertNotIn(group1, user.groups)
-		self.assertFalse(invite.used)
-		grant = InviteGrant(invite=invite, user=user)
-		success, msg = grant.apply()
-		self.assertTrue(success)
-		self.assertIn(role0, user.roles)
-		self.assertIn(role1, user.roles)
-		self.assertIn(role2, user.roles)
-		self.assertIn(group0, user.groups)
-		self.assertIn(group1, user.groups)
-		self.assertTrue(invite.used)
-		db.session.commit()
-		db_flush()
-		user = self.get_user()
-		self.assertIn('baserole', [role.name for role in user.roles_effective])
-		self.assertIn('testrole1', [role.name for role in user.roles])
-		self.assertIn('testrole2', [role.name for role in user.roles])
-		self.assertIn(self.get_access_group(), user.groups)
-		self.assertIn(self.get_admin_group(), user.groups)
-	def test_inactive(self):
-		user = self.get_user()
-		group = self.get_admin_group()
-		role = Role(name='testrole1', groups={group: RoleGroup(group=group)})
-		db.session.add(role)
-		invite = Invite(valid_until=datetime.datetime.now() + datetime.timedelta(seconds=60), roles=[role], single_use=True, used=True, creator=self.get_admin())
-		self.assertFalse(invite.active)
-		grant = InviteGrant(invite=invite, user=user)
-		success, msg = grant.apply()
-		self.assertFalse(success)
-		self.assertIsInstance(msg, str)
-		self.assertNotIn(role, user.roles)
-		self.assertNotIn(group, user.groups)
-	def test_no_roles(self):
-		user = self.get_user()
-		invite = Invite(valid_until=datetime.datetime.now() + datetime.timedelta(seconds=60), creator=self.get_admin())
-		self.assertTrue(invite.active)
-		grant = InviteGrant(invite=invite, user=user)
-		success, msg = grant.apply()
-		self.assertFalse(success)
-		self.assertIsInstance(msg, str)
-	def test_no_new_roles(self):
-		user = self.get_user()
-		role = Role(name='testrole1')
-		db.session.add(role)
-		user.roles.append(role)
-		invite = Invite(valid_until=datetime.datetime.now() + datetime.timedelta(seconds=60), roles=[role], creator=self.get_admin())
-		self.assertTrue(invite.active)
-		grant = InviteGrant(invite=invite, user=user)
-		success, msg = grant.apply()
-		self.assertFalse(success)
-		self.assertIsInstance(msg, str)
-class TestInviteSignupModel(UffdTestCase):
-	def create_base_roles(self):
-		baserole = Role(name='base', is_default=True)
-		baserole.groups[self.get_access_group()] = RoleGroup()
-		baserole.groups[self.get_users_group()] = RoleGroup()
-		db.session.add(baserole)
-		db.session.commit()
-	def test_success(self):
-		self.create_base_roles()
-		base_role = Role.query.filter_by(name='base').one()
-		base_group1 = self.get_access_group()
-		base_group2 = self.get_users_group()
-		group = self.get_admin_group()
-		role1 = Role(name='testrole1', groups={group: RoleGroup(group=group)})
-		db.session.add(role1)
-		role2 = Role(name='testrole2')
-		db.session.add(role2)
-		invite = Invite(valid_until=datetime.datetime.now() + datetime.timedelta(seconds=60), roles=[role1, role2], allow_signup=True, creator=self.get_admin())
-		signup = InviteSignup(invite=invite, loginname='newuser', displayname='New User', mail='test@example.com', password='notsecret')
-		self.assertFalse(invite.used)
-		valid, msg = signup.validate()
-		self.assertTrue(valid)
-		self.assertFalse(invite.used)
-		user, msg = signup.finish('notsecret')
-		self.assertIsInstance(user, User)
-		self.assertTrue(invite.used)
-		self.assertEqual(user.loginname, 'newuser')
-		self.assertEqual(user.displayname, 'New User')
-		self.assertEqual(user.mail, 'test@example.com')
-		self.assertEqual(signup.user, user)
-		self.assertIn(base_role, user.roles_effective)
-		self.assertIn(role1, user.roles)
-		self.assertIn(role2, user.roles)
-		self.assertIn(base_group1, user.groups)
-		self.assertIn(base_group2, user.groups)
-		self.assertIn(group, user.groups)
-		db.session.commit()
-		db_flush()
-		self.assertEqual(len(User.query.filter_by(loginname='newuser').all()), 1)
-	def test_success_no_roles(self):
-		self.create_base_roles()
-		base_role = Role.query.filter_by(name='base').one()
-		base_group1 = self.get_access_group()
-		base_group2 = self.get_users_group()
-		invite = Invite(valid_until=datetime.datetime.now() + datetime.timedelta(seconds=60), allow_signup=True, creator=self.get_admin())
-		signup = InviteSignup(invite=invite, loginname='newuser', displayname='New User', mail='test@example.com', password='notsecret')
-		self.assertFalse(invite.used)
-		valid, msg = signup.validate()
-		self.assertTrue(valid)
-		self.assertFalse(invite.used)
-		user, msg = signup.finish('notsecret')
-		self.assertIsInstance(user, User)
-		self.assertTrue(invite.used)
-		self.assertEqual(user.loginname, 'newuser')
-		self.assertEqual(user.displayname, 'New User')
-		self.assertEqual(user.mail, 'test@example.com')
-		self.assertEqual(signup.user, user)
-		self.assertIn(base_role, user.roles_effective)
-		self.assertEqual(len(user.roles_effective), 1)
-		self.assertIn(base_group1, user.groups)
-		self.assertIn(base_group2, user.groups)
-		self.assertEqual(len(user.groups), 2)
-		db.session.commit()
-		db_flush()
-		self.assertEqual(len(User.query.filter_by(loginname='newuser').all()), 1)
-	def test_inactive(self):
-		invite = Invite(valid_until=datetime.datetime.now() + datetime.timedelta(seconds=60), allow_signup=True, single_use=True, used=True, creator=self.get_admin())
-		self.assertFalse(invite.active)
-		signup = InviteSignup(invite=invite, loginname='newuser', displayname='New User', mail='test@example.com', password='notsecret')
-		valid, msg = signup.validate()
-		self.assertFalse(valid)
-		self.assertIsInstance(msg, str)
-		user, msg = signup.finish('notsecret')
-		self.assertIsNone(user)
-		self.assertIsInstance(msg, str)
-	def test_invalid(self):
-		invite = Invite(valid_until=datetime.datetime.now() + datetime.timedelta(seconds=60), allow_signup=True, creator=self.get_admin())
-		self.assertTrue(invite.active)
-		signup = InviteSignup(invite=invite, loginname='', displayname='New User', mail='test@example.com', password='notsecret')
-		valid, msg = signup.validate()
-		self.assertFalse(valid)
-		self.assertIsInstance(msg, str)
-	def test_invalid2(self):
-		invite = Invite(valid_until=datetime.datetime.now() + datetime.timedelta(seconds=60), allow_signup=True, creator=self.get_admin())
-		self.assertTrue(invite.active)
-		signup = InviteSignup(invite=invite, loginname='newuser', displayname='New User', mail='test@example.com', password='notsecret')
-		user, msg = signup.finish('wrongpassword')
-		self.assertIsNone(user)
-		self.assertIsInstance(msg, str)
-	def test_no_signup(self):
-		invite = Invite(valid_until=datetime.datetime.now() + datetime.timedelta(seconds=60), allow_signup=False, creator=self.get_admin())
-		self.assertTrue(invite.active)
-		signup = InviteSignup(invite=invite, loginname='newuser', displayname='New User', mail='test@example.com', password='notsecret')
-		valid, msg = signup.validate()
-		self.assertFalse(valid)
-		self.assertIsInstance(msg, str)
-		user, msg = signup.finish('notsecret')
-		self.assertIsNone(user)
-		self.assertIsInstance(msg, str)
 class TestInviteAdminViews(UffdTestCase):
 	def setUpApp(self):
@@ -279,8 +13,8 @@ class TestInviteAdminViews(UffdTestCase):
 		self.app.last_mail = None
 	def test_index(self):
-		valid_until = datetime.datetime.now() + datetime.timedelta(seconds=60)
+		valid_until = datetime.datetime.utcnow() + datetime.timedelta(seconds=60)
-		valid_until_expired = datetime.datetime.now() - datetime.timedelta(seconds=60)
+		valid_until_expired = datetime.datetime.utcnow() - datetime.timedelta(seconds=60)
 		user1 = self.get_user()
 		user2 = self.get_admin()
 		role1 = Role(name='testrole1')
@@ -325,7 +59,7 @@ class TestInviteAdminViews(UffdTestCase):
 	def test_index_signupperm(self):
 		current_app.config['ACL_SIGNUP_GROUP'] = 'uffd_access'
-		valid_until = datetime.datetime.now() + datetime.timedelta(seconds=60)
+		valid_until = datetime.datetime.utcnow() + datetime.timedelta(seconds=60)
 		invite1 = Invite(valid_until=valid_until, allow_signup=True, creator=self.get_admin())
 		db.session.add(invite1)
 		invite2 = Invite(valid_until=valid_until, allow_signup=True, creator=self.get_user())
@@ -348,7 +82,7 @@ class TestInviteAdminViews(UffdTestCase):
 		db.session.add(role1)
 		role2 = Role(name='testrole2', moderator_group=self.get_access_group())
 		db.session.add(role2)
-		valid_until = datetime.datetime.now() + datetime.timedelta(seconds=60)
+		valid_until = datetime.datetime.utcnow() + datetime.timedelta(seconds=60)
 		db.session.add(Invite(valid_until=valid_until, roles=[role1]))
 		db.session.add(Invite(valid_until=valid_until, roles=[role2]))
 		db.session.commit()
@@ -367,10 +101,10 @@ class TestInviteAdminViews(UffdTestCase):
 		r = self.client.get(path=url_for('invite.new'), follow_redirects=True)
 		dump('invite_new', r)
 		self.assertEqual(r.status_code, 200)
-		valid_until = (datetime.datetime.now() + datetime.timedelta(seconds=60)).isoformat()
+		valid_until_input = (datetime.datetime.now() + datetime.timedelta(seconds=60)).isoformat(timespec='minutes')
 		self.assertListEqual(Invite.query.all(), [])
 		r = self.client.post(path=url_for('invite.new_submit'),
-			data={'single-use': '1', 'valid-until': valid_until,
+			data={'single-use': '1', 'valid-until': valid_until_input,
 			      'allow-signup': '1', 'role-%d'%role_id: '1'}, follow_redirects=True)
 		dump('invite_new_submit', r)
 		invite = Invite.query.one()
@@ -387,9 +121,9 @@ class TestInviteAdminViews(UffdTestCase):
 		db.session.add(role)
 		db.session.commit()
 		role_id = role.id
-		valid_until = (datetime.datetime.now() + datetime.timedelta(seconds=60)).isoformat()
+		valid_until_input = (datetime.datetime.now() + datetime.timedelta(seconds=60)).isoformat(timespec='minutes')
 		r = self.client.post(path=url_for('invite.new_submit'),
-			data={'single-use': '1', 'valid-until': valid_until,
+			data={'single-use': '1', 'valid-until': valid_until_input,
 			      'allow-signup': '1', 'role-%d'%role_id: '1'}, follow_redirects=True)
 		dump('invite_new_noperm', r)
 		self.assertIsNone(Invite.query.first())
@@ -397,16 +131,16 @@ class TestInviteAdminViews(UffdTestCase):
 	def test_new_empty(self):
 		current_app.config['ACL_SIGNUP_GROUP'] = 'uffd_access'
 		self.login_as('user')
-		valid_until = (datetime.datetime.now() + datetime.timedelta(seconds=60)).isoformat()
+		valid_until_input = (datetime.datetime.now() + datetime.timedelta(seconds=60)).isoformat(timespec='minutes')
 		r = self.client.post(path=url_for('invite.new_submit'),
-			data={'single-use': '1', 'valid-until': valid_until,
+			data={'single-use': '1', 'valid-until': valid_until_input,
 			      'allow-signup': '0'}, follow_redirects=True)
 		dump('invite_new_empty', r)
 		self.assertIsNone(Invite.query.first())
 	def test_disable(self):
 		self.login_as('admin')
-		valid_until = datetime.datetime.now() + datetime.timedelta(seconds=60)
+		valid_until = datetime.datetime.utcnow() + datetime.timedelta(seconds=60)
 		invite = Invite(valid_until=valid_until, creator=self.get_admin())
 		db.session.add(invite)
 		db.session.commit()
@@ -419,7 +153,7 @@ class TestInviteAdminViews(UffdTestCase):
 	def test_disable_own(self):
 		current_app.config['ACL_SIGNUP_GROUP'] = 'uffd_access'
 		self.login_as('user')
-		valid_until = datetime.datetime.now() + datetime.timedelta(seconds=60)
+		valid_until = datetime.datetime.utcnow() + datetime.timedelta(seconds=60)
 		invite = Invite(valid_until=valid_until, creator=self.get_user())
 		db.session.add(invite)
 		db.session.commit()
@@ -431,7 +165,7 @@ class TestInviteAdminViews(UffdTestCase):
 	def test_disable_rolemod(self):
 		self.login_as('user')
-		valid_until = datetime.datetime.now() + datetime.timedelta(seconds=60)
+		valid_until = datetime.datetime.utcnow() + datetime.timedelta(seconds=60)
 		role = Role(name='testrole', moderator_group=self.get_access_group())
 		db.session.add(role)
 		invite = Invite(valid_until=valid_until, creator=self.get_admin(), roles=[role])
@@ -444,7 +178,7 @@ class TestInviteAdminViews(UffdTestCase):
 	def test_disable_noperm(self):
 		self.login_as('user')
-		valid_until = datetime.datetime.now() + datetime.timedelta(seconds=60)
+		valid_until = datetime.datetime.utcnow() + datetime.timedelta(seconds=60)
 		db.session.add(Role(name='testrole1', moderator_group=self.get_access_group()))
 		role = Role(name='testrole2', moderator_group=self.get_admin_group())
 		db.session.add(role)
@@ -458,7 +192,7 @@ class TestInviteAdminViews(UffdTestCase):
 	def test_reset_disabled(self):
 		self.login_as('admin')
-		valid_until = datetime.datetime.now() + datetime.timedelta(seconds=60)
+		valid_until = datetime.datetime.utcnow() + datetime.timedelta(seconds=60)
 		invite = Invite(valid_until=valid_until, disabled=True, creator=self.get_admin())
 		db.session.add(invite)
 		db.session.commit()
@@ -470,7 +204,7 @@ class TestInviteAdminViews(UffdTestCase):
 	def test_reset_voided(self):
 		self.login_as('admin')
-		valid_until = datetime.datetime.now() + datetime.timedelta(seconds=60)
+		valid_until = datetime.datetime.utcnow() + datetime.timedelta(seconds=60)
 		invite = Invite(valid_until=valid_until, single_use=True, used=True, creator=self.get_admin())
 		db.session.add(invite)
 		db.session.commit()
@@ -483,7 +217,7 @@ class TestInviteAdminViews(UffdTestCase):
 	def test_reset_own(self):
 		current_app.config['ACL_SIGNUP_GROUP'] = 'uffd_access'
 		self.login_as('user')
-		valid_until = datetime.datetime.now() + datetime.timedelta(seconds=60)
+		valid_until = datetime.datetime.utcnow() + datetime.timedelta(seconds=60)
 		invite = Invite(valid_until=valid_until, disabled=True, creator=self.get_user())
 		db.session.add(invite)
 		db.session.commit()
@@ -495,7 +229,7 @@ class TestInviteAdminViews(UffdTestCase):
 	def test_reset_foreign(self):
 		self.login_as('user')
-		valid_until = datetime.datetime.now() + datetime.timedelta(seconds=60)
+		valid_until = datetime.datetime.utcnow() + datetime.timedelta(seconds=60)
 		role = Role(name='testrole', moderator_group=self.get_access_group())
 		db.session.add(role)
 		invite = Invite(valid_until=valid_until, disabled=True, creator=self.get_admin(), roles=[role])
@@ -512,7 +246,7 @@ class TestInviteUseViews(UffdTestCase):
 		self.app.last_mail = None
 	def test_use(self):
-		invite = Invite(valid_until=datetime.datetime.now() + datetime.timedelta(seconds=60), allow_signup=True, roles=[Role(name='testrole1'), Role(name='testrole2')])
+		invite = Invite(valid_until=datetime.datetime.utcnow() + datetime.timedelta(seconds=60), allow_signup=True, roles=[Role(name='testrole1'), Role(name='testrole2')])
 		db.session.add(invite)
 		db.session.commit()
 		token = invite.token
@@ -522,7 +256,7 @@ class TestInviteUseViews(UffdTestCase):
 	def test_use_loggedin(self):
 		self.login_as('user')
-		invite = Invite(valid_until=datetime.datetime.now() + datetime.timedelta(seconds=60), allow_signup=True, roles=[Role(name='testrole1'), Role(name='testrole2')])
+		invite = Invite(valid_until=datetime.datetime.utcnow() + datetime.timedelta(seconds=60), allow_signup=True, roles=[Role(name='testrole1'), Role(name='testrole2')])
 		db.session.add(invite)
 		db.session.commit()
 		token = invite.token
@@ -531,7 +265,7 @@ class TestInviteUseViews(UffdTestCase):
 		self.assertEqual(r.status_code, 200)
 	def test_use_inactive(self):
-		invite = Invite(valid_until=datetime.datetime.now() + datetime.timedelta(seconds=60), disabled=True)
+		invite = Invite(valid_until=datetime.datetime.utcnow() + datetime.timedelta(seconds=60), disabled=True)
 		db.session.add(invite)
 		db.session.commit()
 		token = invite.token
@@ -553,7 +287,7 @@ class TestInviteUseViews(UffdTestCase):
 		db.session.add(role1)
 		role2 = Role(name='testrole2')
 		db.session.add(role2)
-		invite = Invite(valid_until=datetime.datetime.now() + datetime.timedelta(seconds=60), roles=[role1, role2], creator=self.get_admin())
+		invite = Invite(valid_until=datetime.datetime.utcnow() + datetime.timedelta(seconds=60), roles=[role1, role2], creator=self.get_admin())
 		db.session.add(invite)
 		db.session.commit()
 		invite_id = invite.id
@@ -579,7 +313,7 @@ class TestInviteUseViews(UffdTestCase):
 		self.assertIn(self.get_admin_group(), user.groups)
 	def test_grant_invalid_invite(self):
-		invite = Invite(valid_until=datetime.datetime.now() + datetime.timedelta(seconds=60), disabled=True)
+		invite = Invite(valid_until=datetime.datetime.utcnow() + datetime.timedelta(seconds=60), disabled=True)
 		db.session.add(invite)
 		db.session.commit()
 		invite_id = invite.id
@@ -591,7 +325,7 @@ class TestInviteUseViews(UffdTestCase):
 		self.assertFalse(Invite.query.filter_by(token=token).first().used)
 	def test_grant_no_roles(self):
-		invite = Invite(valid_until=datetime.datetime.now() + datetime.timedelta(seconds=60))
+		invite = Invite(valid_until=datetime.datetime.utcnow() + datetime.timedelta(seconds=60))
 		db.session.add(invite)
 		db.session.commit()
 		invite_id = invite.id
@@ -607,7 +341,7 @@ class TestInviteUseViews(UffdTestCase):
 		role = Role(name='testrole')
 		db.session.add(role)
 		user.roles.append(role)
-		invite = Invite(valid_until=datetime.datetime.now() + datetime.timedelta(seconds=60), roles=[role])
+		invite = Invite(valid_until=datetime.datetime.utcnow() + datetime.timedelta(seconds=60), roles=[role])
 		db.session.add(invite)
 		db.session.commit()
 		invite_id = invite.id
@@ -628,7 +362,7 @@ class TestInviteUseViews(UffdTestCase):
 		db.session.add(role1)
 		role2 = Role(name='testrole2')
 		db.session.add(role2)
-		invite = Invite(valid_until=datetime.datetime.now() + datetime.timedelta(seconds=60), roles=[role1, role2], allow_signup=True, creator=self.get_admin())
+		invite = Invite(valid_until=datetime.datetime.utcnow() + datetime.timedelta(seconds=60), roles=[role1, role2], allow_signup=True, creator=self.get_admin())
 		db.session.add(invite)
 		db.session.commit()
 		invite_id = invite.id
@@ -646,11 +380,11 @@ class TestInviteUseViews(UffdTestCase):
 		self.assertEqual(signup.displayname, 'New User')
 		self.assertEqual(signup.mail, 'test@example.com')
 		self.assertIn(signup.token, str(self.app.last_mail.get_content()))
-		self.assertTrue(signup.check_password('notsecret'))
+		self.assertTrue(signup.password.verify('notsecret'))
 		self.assertTrue(signup.validate()[0])
 	def test_signup_invalid_invite(self):
-		invite = Invite(valid_until=datetime.datetime.now() + datetime.timedelta(seconds=60), allow_signup=True, disabled=True, creator=self.get_admin())
+		invite = Invite(valid_until=datetime.datetime.utcnow() + datetime.timedelta(seconds=60), allow_signup=True, disabled=True, creator=self.get_admin())
 		db.session.add(invite)
 		db.session.commit()
 		r = self.client.get(path=url_for('invite.signup_start', invite_id=invite.id, token=invite.token), follow_redirects=True)
@@ -658,7 +392,7 @@ class TestInviteUseViews(UffdTestCase):
 		self.assertEqual(r.status_code, 200)
 	def test_signup_nosignup(self):
-		invite = Invite(valid_until=datetime.datetime.now() + datetime.timedelta(seconds=60), allow_signup=False, creator=self.get_admin())
+		invite = Invite(valid_until=datetime.datetime.utcnow() + datetime.timedelta(seconds=60), allow_signup=False, creator=self.get_admin())
 		db.session.add(invite)
 		db.session.commit()
 		r = self.client.get(path=url_for('invite.signup_start', invite_id=invite.id, token=invite.token), follow_redirects=True)
@@ -666,7 +400,7 @@ class TestInviteUseViews(UffdTestCase):
 		self.assertEqual(r.status_code, 200)
 	def test_signup_wrongpassword(self):
-		invite = Invite(valid_until=datetime.datetime.now() + datetime.timedelta(seconds=60), allow_signup=True, creator=self.get_admin())
+		invite = Invite(valid_until=datetime.datetime.utcnow() + datetime.timedelta(seconds=60), allow_signup=True, creator=self.get_admin())
 		db.session.add(invite)
 		db.session.commit()
 		r = self.client.post(path=url_for('invite.signup_submit', invite_id=invite.id, token=invite.token),
@@ -676,7 +410,7 @@ class TestInviteUseViews(UffdTestCase):
 		self.assertEqual(r.status_code, 200)
 	def test_signup_invalid(self):
-		invite = Invite(valid_until=datetime.datetime.now() + datetime.timedelta(seconds=60), allow_signup=True, creator=self.get_admin())
+		invite = Invite(valid_until=datetime.datetime.utcnow() + datetime.timedelta(seconds=60), allow_signup=True, creator=self.get_admin())
 		db.session.add(invite)
 		db.session.commit()
 		r = self.client.post(path=url_for('invite.signup_submit', invite_id=invite.id, token=invite.token),
@@ -687,7 +421,7 @@ class TestInviteUseViews(UffdTestCase):
 	def test_signup_mailerror(self):
 		self.app.config['MAIL_SKIP_SEND'] = 'fail'
-		invite = Invite(valid_until=datetime.datetime.now() + datetime.timedelta(seconds=60), allow_signup=True, creator=self.get_admin())
+		invite = Invite(valid_until=datetime.datetime.utcnow() + datetime.timedelta(seconds=60), allow_signup=True, creator=self.get_admin())
 		db.session.add(invite)
 		db.session.commit()
 		r = self.client.post(path=url_for('invite.signup_submit', invite_id=invite.id, token=invite.token),
@@ -697,7 +431,7 @@ class TestInviteUseViews(UffdTestCase):
 		self.assertEqual(r.status_code, 200)
 	def test_signup_hostlimit(self):
-		invite = Invite(valid_until=datetime.datetime.now() + datetime.timedelta(seconds=60), allow_signup=True, creator=self.get_admin())
+		invite = Invite(valid_until=datetime.datetime.utcnow() + datetime.timedelta(seconds=60), allow_signup=True, creator=self.get_admin())
 		db.session.add(invite)
 		db.session.commit()
 		invite_id = invite.id
@@ -717,7 +451,7 @@ class TestInviteUseViews(UffdTestCase):
 		self.assertIsNone(self.app.last_mail)
 	def test_signup_mailimit(self):
-		invite = Invite(valid_until=datetime.datetime.now() + datetime.timedelta(seconds=60), allow_signup=True, creator=self.get_admin())
+		invite = Invite(valid_until=datetime.datetime.utcnow() + datetime.timedelta(seconds=60), allow_signup=True, creator=self.get_admin())
 		db.session.add(invite)
 		db.session.commit()
 		invite_id = invite.id
@@ -737,7 +471,7 @@ class TestInviteUseViews(UffdTestCase):
 		self.assertIsNone(self.app.last_mail)
 	def test_signup_check(self):
-		invite = Invite(valid_until=datetime.datetime.now() + datetime.timedelta(seconds=60), allow_signup=True, creator=self.get_admin())
+		invite = Invite(valid_until=datetime.datetime.utcnow() + datetime.timedelta(seconds=60), allow_signup=True, creator=self.get_admin())
 		db.session.add(invite)
 		db.session.commit()
 		invite_id = invite.id
@@ -749,7 +483,7 @@ class TestInviteUseViews(UffdTestCase):
 		self.assertEqual(r.json['status'], 'ok')
 	def test_signup_check_invalid(self):
-		invite = Invite(valid_until=datetime.datetime.now() + datetime.timedelta(seconds=60), allow_signup=True, creator=self.get_admin())
+		invite = Invite(valid_until=datetime.datetime.utcnow() + datetime.timedelta(seconds=60), allow_signup=True, creator=self.get_admin())
 		db.session.add(invite)
 		db.session.commit()
 		invite_id = invite.id
@@ -762,7 +496,7 @@ class TestInviteUseViews(UffdTestCase):
 		self.assertEqual(r.json['status'], 'invalid')
 	def test_signup_check_exists(self):
-		invite = Invite(valid_until=datetime.datetime.now() + datetime.timedelta(seconds=60), allow_signup=True, creator=self.get_admin())
+		invite = Invite(valid_until=datetime.datetime.utcnow() + datetime.timedelta(seconds=60), allow_signup=True, creator=self.get_admin())
 		db.session.add(invite)
 		db.session.commit()
 		invite_id = invite.id
@@ -774,7 +508,7 @@ class TestInviteUseViews(UffdTestCase):
 		self.assertEqual(r.json['status'], 'exists')
 	def test_signup_check_nosignup(self):
-		invite = Invite(valid_until=datetime.datetime.now() + datetime.timedelta(seconds=60), allow_signup=False, creator=self.get_admin())
+		invite = Invite(valid_until=datetime.datetime.utcnow() + datetime.timedelta(seconds=60), allow_signup=False, creator=self.get_admin())
 		db.session.add(invite)
 		db.session.commit()
 		invite_id = invite.id
@@ -786,7 +520,7 @@ class TestInviteUseViews(UffdTestCase):
 		self.assertEqual(r.json['status'], 'error')
 	def test_signup_check_error(self):
-		invite = Invite(valid_until=datetime.datetime.now() + datetime.timedelta(seconds=60), allow_signup=True, disabled=True, creator=self.get_admin())
+		invite = Invite(valid_until=datetime.datetime.utcnow() + datetime.timedelta(seconds=60), allow_signup=True, disabled=True, creator=self.get_admin())
 		db.session.add(invite)
 		db.session.commit()
 		invite_id = invite.id
@@ -798,7 +532,7 @@ class TestInviteUseViews(UffdTestCase):
 		self.assertEqual(r.json['status'], 'error')
 	def test_signup_check_ratelimited(self):
-		invite = Invite(valid_until=datetime.datetime.now() + datetime.timedelta(seconds=60), allow_signup=True, creator=self.get_admin())
+		invite = Invite(valid_until=datetime.datetime.utcnow() + datetime.timedelta(seconds=60), allow_signup=True, creator=self.get_admin())
 		db.session.add(invite)
 		db.session.commit()
 		invite_id = invite.id

--- a/tests/test_mail.py
+++ b/tests/test_mail.py
-import datetime
-import time
 import unittest
-from flask import url_for, session
+from flask import url_for
-# These imports are required, because otherwise we get circular imports?!
+from uffd.database import db
-from uffd import user
+from uffd.models import Mail
-from uffd.mail.models import Mail
+from tests.utils import dump, UffdTestCase
-from uffd import create_app, db
-from utils import dump, UffdTestCase, db_flush
 class TestMailViews(UffdTestCase):
 	def setUp(self):
@@ -31,7 +26,7 @@ class TestMailViews(UffdTestCase):
 		self.assertEqual(r.status_code, 200)
 	def test_show(self):
-		r = self.client.get(path=url_for('mail.show', uid=self.get_mail().uid), follow_redirects=True)
+		r = self.client.get(path=url_for('mail.show', mai_id=self.get_mail().id), follow_redirects=True)
 		dump('mail_show', r)
 		self.assertEqual(r.status_code, 200)
@@ -46,7 +41,7 @@ class TestMailViews(UffdTestCase):
 		self.assertEqual(m.uid, 'test')
 		self.assertEqual(sorted(m.receivers), ['test1@example.com', 'test2@example.com'])
 		self.assertEqual(sorted(m.destinations), ['testuser@mail.example.com'])
-		r = self.client.post(path=url_for('mail.update', uid=m.uid),
+		r = self.client.post(path=url_for('mail.update', mail_id=m.id),
 			data={'mail-uid': 'test1', 'mail-receivers': 'foo@bar.com\ntest@bar.com',
 			'mail-destinations': 'testuser@mail.example.com\ntestadmin@mail.example.com'}, follow_redirects=True)
 		dump('mail_update', r)
@@ -68,7 +63,7 @@ class TestMailViews(UffdTestCase):
 		self.assertEqual(sorted(m.receivers), ['foo@bar.com', 'test@bar.com'])
 		self.assertEqual(sorted(m.destinations), ['testadmin@mail.example.com', 'testuser@mail.example.com'])
-	@unittest.skip('We do not catch LDAP errors at the moment!') # TODO: Not sure if necessary
+	@unittest.skip('We do not catch DB errors at the moment!') # TODO
 	def test_create_error(self):
 		r = self.client.post(path=url_for('mail.update'),
 			data={'mail-uid': 'test', 'mail-receivers': 'foo@bar.com\ntest@bar.com',
@@ -83,7 +78,7 @@ class TestMailViews(UffdTestCase):
 	def test_delete(self):
 		self.assertIsNotNone(self.get_mail())
-		r = self.client.get(path=url_for('mail.delete', uid=self.get_mail().uid), follow_redirects=True)
+		r = self.client.get(path=url_for('mail.delete', mail_id=self.get_mail().id), follow_redirects=True)
 		dump('mail_delete', r)
 		self.assertEqual(r.status_code, 200)
 		self.assertIsNone(self.get_mail())
--- a/tests/views/test_oauth2.py
+++ b/tests/views/test_oauth2.py
+import unittest
+from urllib.parse import urlparse, parse_qs
+import jwt
+from flask import url_for, session
+from uffd.database import db
+from uffd.password_hash import PlaintextPasswordHash
+from uffd.remailer import remailer
+from uffd.models import DeviceLoginConfirmation, Service, OAuth2Client, OAuth2DeviceLoginInitiation, RemailerMode, OAuth2Key, Session
+from tests.utils import dump, UffdTestCase
+from tests.models.test_oauth2 import TEST_JWK
+class TestViews(UffdTestCase):
+	def setUpDB(self):
+		db.session.add(OAuth2Client(service=Service(name='test', limit_access=False), client_id='test', client_secret='testsecret', redirect_uris=['http://localhost:5009/callback', 'http://localhost:5009/callback2']))
+		db.session.add(OAuth2Client(service=Service(name='test1', access_group=self.get_admin_group()), client_id='test1', client_secret='testsecret1', redirect_uris=['http://localhost:5008/callback']))
+	def assert_authorization(self, r, mail=None):
+		while True:
+			if r.status_code != 302 or r.location.startswith('http://localhost:5009/callback'):
+				break
+			r = self.client.get(r.location, follow_redirects=False)
+		self.assertEqual(r.status_code, 302)
+		self.assertTrue(r.location.startswith('http://localhost:5009/callback'))
+		args = parse_qs(urlparse(r.location).query)
+		self.assertEqual(args['state'], ['teststate'])
+		code = args['code'][0]
+		r = self.client.post(path=url_for('oauth2.token'),
+			data={'grant_type': 'authorization_code', 'code': code, 'redirect_uri': 'http://localhost:5009/callback', 'client_id': 'test', 'client_secret': 'testsecret'}, follow_redirects=True)
+		self.assertEqual(r.status_code, 200)
+		self.assertEqual(r.content_type, 'application/json')
+		self.assertEqual(r.json['token_type'], 'Bearer')
+		self.assertEqual(r.json['scope'], 'profile')
+		token = r.json['access_token']
+		r = self.client.get(path=url_for('oauth2.userinfo'), headers=[('Authorization', 'Bearer %s'%token)], follow_redirects=True)
+		self.assertEqual(r.status_code, 200)
+		self.assertEqual(r.content_type, 'application/json')
+		user = self.get_user()
+		self.assertEqual(r.json['id'], user.unix_uid)
+		self.assertEqual(r.json['name'], user.displayname)
+		self.assertEqual(r.json['nickname'], user.loginname)
+		self.assertEqual(r.json['email'], mail or user.primary_email.address)
+		self.assertTrue(r.json.get('groups'))
+	def test_authorization(self):
+		self.login_as('user')
+		r = self.client.get(path=url_for('oauth2.authorize', response_type='code', client_id='test', state='teststate', redirect_uri='http://localhost:5009/callback', scope='profile'), follow_redirects=False)
+		self.assert_authorization(r)
+	def test_authorization_with_remailer(self):
+		self.app.config['REMAILER_DOMAIN'] = 'remailer.example.com'
+		service = Service.query.filter_by(name='test').one()
+		service.remailer_mode = RemailerMode.ENABLED_V1
+		db.session.commit()
+		self.login_as('user')
+		r = self.client.get(path=url_for('oauth2.authorize', response_type='code', client_id='test', state='teststate', redirect_uri='http://localhost:5009/callback', scope='profile'), follow_redirects=False)
+		service = Service.query.filter_by(name='test').one()
+		self.assert_authorization(r, mail=remailer.build_v1_address(service.id, self.get_user().id))
+	def test_authorization_client_secret_rehash(self):
+		OAuth2Client.query.delete()
+		db.session.add(OAuth2Client(service=Service(name='rehash_test', limit_access=False), client_id='test', client_secret=PlaintextPasswordHash.from_password('testsecret'), redirect_uris=['http://localhost:5009/callback', 'http://localhost:5009/callback2']))
+		db.session.commit()
+		self.assertIsInstance(OAuth2Client.query.filter_by(client_id='test').one().client_secret, PlaintextPasswordHash)
+		self.login_as('user')
+		r = self.client.get(path=url_for('oauth2.authorize', response_type='code', client_id='test', state='teststate', redirect_uri='http://localhost:5009/callback', scope='profile'), follow_redirects=False)
+		self.assert_authorization(r)
+		oauth2_client = OAuth2Client.query.filter_by(client_id='test').one()
+		self.assertIsInstance(oauth2_client.client_secret, OAuth2Client.client_secret.method_cls)
+		self.assertTrue(oauth2_client.client_secret.verify('testsecret'))
+	def test_authorization_without_redirect_uri(self):
+		client = OAuth2Client.query.filter_by(client_id='test').one()
+		client.redirect_uris.remove('http://localhost:5009/callback2')
+		db.session.commit()
+		self.login_as('user')
+		r = self.client.get(path=url_for('oauth2.authorize', response_type='code', client_id='test', state='teststate', scope='profile'), follow_redirects=False)
+		self.assert_authorization(r)
+	def test_authorization_without_scope(self):
+		self.login_as('user')
+		r = self.client.get(path=url_for('oauth2.authorize', response_type='code', client_id='test', state='teststate', redirect_uri='http://localhost:5009/callback'), follow_redirects=False)
+		self.assert_authorization(r)
+	# Regression test for #115 (OAuth2 authorize endpoint rejects empty scope parameter)
+	def test_authorization_empty_scope(self):
+		self.login_as('user')
+		r = self.client.get(path=url_for('oauth2.authorize', response_type='code', client_id='test', state='teststate', scope='', redirect_uri='http://localhost:5009/callback'), follow_redirects=False)
+		self.assert_authorization(r)
+	def test_authorization_access_denied(self):
+		client = OAuth2Client.query.filter_by(client_id='test').one()
+		client.service.limit_access = True
+		db.session.commit()
+		self.login_as('user')
+		r = self.client.get(path=url_for('oauth2.authorize', response_type='code', client_id='test', state='teststate', redirect_uri='http://localhost:5009/callback', scope='profile'), follow_redirects=False)
+		self.assertEqual(r.status_code, 403)
+		dump('oauth2_authorization_access_denied', r)
+	def test_authorization_invalid_scope(self):
+		self.login_as('user')
+		r = self.client.get(path=url_for('oauth2.authorize', response_type='code', client_id='test', state='teststate', redirect_uri='http://localhost:5009/callback', scope='invalid'), follow_redirects=False)
+		self.assertEqual(r.status_code, 400)
+		dump('oauth2_authorization_invalid_scope', r)
+	def test_authorization_missing_client_id(self):
+		self.login_as('user')
+		r = self.client.get(path=url_for('oauth2.authorize', response_type='code', state='teststate', redirect_uri='http://localhost:5009/callback', scope='profile'), follow_redirects=False)
+		self.assertEqual(r.status_code, 400)
+		dump('oauth2_authorization_missing_client_id', r)
+	def test_authorization_invalid_client_id(self):
+		self.login_as('user')
+		r = self.client.get(path=url_for('oauth2.authorize', response_type='code', client_id='invalid_client_id', state='teststate', redirect_uri='http://localhost:5009/callback', scope='profile'), follow_redirects=False)
+		self.assertEqual(r.status_code, 400)
+		dump('oauth2_authorization_invalid_client_id', r)
+	def test_authorization_missing_response_type(self):
+		self.login_as('user')
+		r = self.client.get(path=url_for('oauth2.authorize', client_id='test', state='teststate', redirect_uri='http://localhost:5009/callback', scope='profile'), follow_redirects=False)
+		self.assertEqual(r.status_code, 400)
+		dump('oauth2_authorization_missing_response_type', r)
+	def test_authorization_invalid_response_type(self):
+		self.login_as('user')
+		r = self.client.get(path=url_for('oauth2.authorize', response_type='token', client_id='test', state='teststate', redirect_uri='http://localhost:5009/callback', scope='profile'), follow_redirects=False)
+		self.assertEqual(r.status_code, 400)
+		dump('oauth2_authorization_invalid_response_type', r)
+	def test_authorization_devicelogin_start(self):
+		ref = url_for('oauth2.authorize', response_type='code', client_id='test', state='teststate', redirect_uri='http://localhost:5009/callback')
+		r = self.client.get(path=url_for('session.devicelogin_start', ref=ref), follow_redirects=True)
+		# check response
+		initiation = OAuth2DeviceLoginInitiation.query.filter_by(id=session['devicelogin_id'], secret=session['devicelogin_secret']).one()
+		self.assertEqual(r.status_code, 200)
+		self.assertFalse(initiation.expired)
+		self.assertEqual(initiation.client.client_id, 'test')
+		self.assertIsNotNone(initiation.description)
+	def test_authorization_devicelogin_auth(self):
+		with self.client.session_transaction() as _session:
+			initiation = OAuth2DeviceLoginInitiation(client=OAuth2Client.query.filter_by(client_id='test').one())
+			db.session.add(initiation)
+			confirmation = DeviceLoginConfirmation(initiation=initiation, session=Session(user=self.get_user()))
+			db.session.add(confirmation)
+			db.session.commit()
+			_session['devicelogin_id'] = initiation.id
+			_session['devicelogin_secret'] = initiation.secret
+			code = confirmation.code
+		self.client.get(path='/')
+		ref = url_for('oauth2.authorize', response_type='code', client_id='test', state='teststate', redirect_uri='http://localhost:5009/callback')
+		r = self.client.post(path=url_for('session.devicelogin_submit', ref=ref), data={'confirmation-code': code}, follow_redirects=False)
+		self.assert_authorization(r)
+	def test_authorization_devicelogin_auth_deactivated(self):
+		with self.client.session_transaction() as _session:
+			initiation = OAuth2DeviceLoginInitiation(client=OAuth2Client.query.filter_by(client_id='test').one())
+			db.session.add(initiation)
+			confirmation = DeviceLoginConfirmation(initiation=initiation, session=Session(user=self.get_user()))
+			db.session.add(confirmation)
+			db.session.commit()
+			_session['devicelogin_id'] = initiation.id
+			_session['devicelogin_secret'] = initiation.secret
+			code = confirmation.code
+		self.client.get(path='/')
+		self.get_user().is_deactivated = True
+		db.session.commit()
+		ref = url_for('oauth2.authorize', response_type='code', client_id='test', state='teststate', redirect_uri='http://localhost:5009/callback')
+		r = self.client.post(path=url_for('session.devicelogin_submit', ref=ref), data={'confirmation-code': code}, follow_redirects=True)
+		self.assertIn(b'Device login failed', r.data)
+	def get_auth_code(self):
+		self.login_as('user')
+		r = self.client.get(path=url_for('oauth2.authorize', response_type='code', client_id='test', state='teststate', redirect_uri='http://localhost:5009/callback', scope='profile'), follow_redirects=False)
+		while True:
+			if r.status_code != 302 or r.location.startswith('http://localhost:5009/callback'):
+				break
+			r = self.client.get(r.location, follow_redirects=False)
+		self.assertEqual(r.status_code, 302)
+		self.assertTrue(r.location.startswith('http://localhost:5009/callback'))
+		args = parse_qs(urlparse(r.location).query)
+		self.assertEqual(args['state'], ['teststate'])
+		return args['code'][0]
+	def test_token_urlsecret(self):
+		r = self.client.post(path=url_for('oauth2.token'),
+			data={'grant_type': 'authorization_code', 'code': self.get_auth_code(), 'redirect_uri': 'http://localhost:5009/callback', 'client_id': 'test', 'client_secret': 'testsecret'}, follow_redirects=True)
+		self.assertEqual(r.status_code, 200)
+		self.assertEqual(r.content_type, 'application/json')
+		self.assertEqual(r.json['token_type'], 'Bearer')
+		self.assertEqual(r.json['scope'], 'profile')
+	# Regression test for #114 (OAuth2 token endpoint does not support Basic-Auth)
+	def test_token_basicauth(self):
+		r = self.client.post(path=url_for('oauth2.token'),
+			data={'grant_type': 'authorization_code', 'code': self.get_auth_code(), 'redirect_uri': 'http://localhost:5009/callback'},
+			headers={'Authorization': f'Basic dGVzdDp0ZXN0c2VjcmV0'}, follow_redirects=True)
+		self.assertEqual(r.status_code, 200)
+		self.assertEqual(r.content_type, 'application/json')
+		self.assertEqual(r.json['token_type'], 'Bearer')
+		self.assertEqual(r.json['scope'], 'profile')
+	def test_token_invalid_code(self):
+		r = self.client.post(path=url_for('oauth2.token'),
+			data={'grant_type': 'authorization_code', 'code': 'abcdef', 'redirect_uri': 'http://localhost:5009/callback', 'client_id': 'test', 'client_secret': 'testsecret'}, follow_redirects=True)
+		self.assertEqual(r.status_code, 400)
+		self.assertEqual(r.content_type, 'application/json')
+		self.assertEqual(r.json['error'], 'invalid_grant')
+	def test_token_code_invalidation(self):
+		code = self.get_auth_code()
+		r = self.client.post(path=url_for('oauth2.token'),
+			data={'grant_type': 'authorization_code', 'code': code, 'redirect_uri': 'http://localhost:5009/callback'},
+			headers={'Authorization': f'Basic dGVzdDp0ZXN0c2VjcmV0'}, follow_redirects=True)
+		self.assertEqual(r.status_code, 200)
+		r = self.client.post(path=url_for('oauth2.token'),
+			data={'grant_type': 'authorization_code', 'code': code, 'redirect_uri': 'http://localhost:5009/callback'},
+			headers={'Authorization': f'Basic dGVzdDp0ZXN0c2VjcmV0'}, follow_redirects=True)
+		self.assertEqual(r.status_code, 400)
+		self.assertEqual(r.json['error'], 'invalid_grant')
+	def test_token_invalid_client(self):
+		r = self.client.post(path=url_for('oauth2.token'),
+			data={'grant_type': 'authorization_code', 'code': self.get_auth_code(), 'redirect_uri': 'http://localhost:5009/callback', 'client_id': 'invalid_client', 'client_secret': 'invalid_client_secret'}, follow_redirects=True)
+		self.assertEqual(r.status_code, 401)
+		self.assertEqual(r.content_type, 'application/json')
+		self.assertEqual(r.json['error'], 'invalid_client')
+	def test_token_unauthorized_client(self):
+		r = self.client.post(path=url_for('oauth2.token'),
+			data={'grant_type': 'authorization_code', 'code': self.get_auth_code(), 'redirect_uri': 'http://localhost:5009/callback', 'client_id': 'test'}, follow_redirects=True)
+		self.assertEqual(r.status_code, 401)
+		self.assertEqual(r.content_type, 'application/json')
+		self.assertEqual(r.json['error'], 'invalid_client')
+	def test_token_unsupported_grant_type(self):
+		r = self.client.post(path=url_for('oauth2.token'),
+			data={'grant_type': 'password', 'code': self.get_auth_code(), 'redirect_uri': 'http://localhost:5009/callback', 'client_id': 'test', 'client_secret': 'testsecret'}, follow_redirects=True)
+		self.assertEqual(r.status_code, 400)
+		self.assertEqual(r.content_type, 'application/json')
+		self.assertEqual(r.json['error'], 'unsupported_grant_type')
+	def test_token_deactivated_user(self):
+		code = self.get_auth_code()
+		self.get_user().is_deactivated = True
+		db.session.commit()
+		r = self.client.post(path=url_for('oauth2.token'),
+			data={'grant_type': 'authorization_code', 'code': code, 'redirect_uri': 'http://localhost:5009/callback', 'client_id': 'test', 'client_secret': 'testsecret'}, follow_redirects=True)
+		self.assertEqual(r.status_code, 400)
+		self.assertEqual(r.content_type, 'application/json')
+		self.assertEqual(r.json['error'], 'invalid_grant')
+	def test_userinfo_invalid_access_token(self):
+		token = 'invalidtoken'
+		r = self.client.get(path=url_for('oauth2.userinfo'), headers=[('Authorization', 'Bearer %s'%token)], follow_redirects=True)
+		self.assertEqual(r.status_code, 401)
+	def test_userinfo_deactivated_user(self):
+		r = self.client.post(path=url_for('oauth2.token'),
+			data={'grant_type': 'authorization_code', 'code': self.get_auth_code(), 'redirect_uri': 'http://localhost:5009/callback', 'client_id': 'test', 'client_secret': 'testsecret'}, follow_redirects=True)
+		token = r.json['access_token']
+		self.get_user().is_deactivated = True
+		db.session.commit()
+		r = self.client.get(path=url_for('oauth2.userinfo'), headers=[('Authorization', 'Bearer %s'%token)], follow_redirects=True)
+		self.assertEqual(r.status_code, 401)
+class TestOIDCConfigurationProfile(UffdTestCase):
+	def setUpDB(self):
+		db.session.add(OAuth2Key(**TEST_JWK))
+	def test_discover_spec(self):
+		ISSUER = 'https://sso.example.com'
+		r = self.client.get(base_url=ISSUER, path='/.well-known/openid-configuration')
+		# OIDC Discovery 1.0 section 4.2:
+		# > A successful response MUST use the 200 OK HTTP status code and return a
+		# > JSON object using the application/json content type that contains a set
+		# > of Claims as its members that are a subset of the Metadata values defined
+		# > in Section 3.
+		self.assertEqual(r.status_code, 200)
+		self.assertEqual(r.content_type, 'application/json')
+		self.assertIsInstance(r.json, dict) # also validates JSON syntax
+		# OIDC Discovery 1.0 section 4.2:
+		# > Claims that return multiple values are represented as JSON arrays.
+		# > Claims with zero elements MUST be omitted from the response. 
+		for key, value in r.json.items():
+			if isinstance(value, list):
+				self.assertNotEqual(len(value), 0)
+		# OIDC Discovery 1.0 section 3 (REQUIRED metadata values)
+		required_fields = {'issuer', 'authorization_endpoint', 'jwks_uri', 'response_types_supported', 'subject_types_supported', 'id_token_signing_alg_values_supported'}
+		if 'code' in r.json.get('response_types_supported', []):
+			required_fields.add('token_endpoint')
+		if 'authorization_code' in r.json.get('grant_types_supported', ['authorization_code', 'implicit']):
+			required_fields.add('token_endpoint')
+		for field in required_fields:
+			self.assertIn(field, r.json)
+		# OIDC Discovery 1.0 section 3 (metadata value types)
+		bool_fields = ('claims_parameter_supported', 'request_parameter_supported', 'request_uri_parameter_supported', 'require_request_uri_registration')
+		list_fields = ('scopes_supported', 'response_types_supported', 'response_modes_supported', 'grant_types_supported', 'acr_values_supported', 'subject_types_supported', 'id_token_signing_alg_values_supported', 'id_token_encryption_alg_values_supported', 'id_token_encryption_enc_values_supported', 'userinfo_signing_alg_values_supported', 'userinfo_encryption_alg_values_supported', 'userinfo_encryption_enc_values_supported', 'request_object_signing_alg_values_supported', 'request_object_encryption_alg_values_supported', 'request_object_encryption_enc_values_supported', 'token_endpoint_auth_methods_supported', 'token_endpoint_auth_signing_alg_values_supported', 'display_values_supported', 'claim_types_supported', 'claims_supported', 'claims_locales_supported', 'ui_locales_supported')
+		https_url_fields = ('issuer', 'authorization_endpoint', 'token_endpoint', 'userinfo_endpoint', 'jwks_uri', 'registration_endpoint')
+		url_fields = ('service_documentation', 'op_policy_uri', 'op_tos_uri')
+		for field in bool_fields:
+			if field in r.json:
+				self.assertIsInstance(r.json[field], bool)
+		for field in list_fields:
+			if field in r.json:
+				self.assertIsInstance(r.json[field], list)
+		for field in https_url_fields:
+			if field in r.json:
+				self.assertIsInstance(r.json[field], str)
+				self.assertTrue(r.json[field].lower().startswith('https://'))
+		for field in url_fields:
+			if field in r.json:
+				self.assertIsInstance(r.json[field], str)
+				self.assertTrue(r.json[field].lower().startswith('http'))
+		# OIDC Discovery 1.0 section 3 (MUSTs on metadata values except https scheme and jwks_uri)
+		self.assertEqual(r.json['issuer'], ISSUER)
+		if 'scopes_supported' in r.json:
+			self.assertIsInstance(r.json['scopes_supported'], list)
+			for item in r.json['scopes_supported']:
+				self.assertIsInstance(item, str)
+				self.assertRegex(item, r'^[!#-\[\]-~]+$') # 1*( %x21 / %x23-5B / %x5D-7E )
+			self.assertIn('openid', r.json['scopes_supported'])
+		self.assertIn('RS256', r.json['id_token_signing_alg_values_supported'])
+		if 'token_endpoint_auth_signing_alg_values_supported' in r.json:
+			self.assertNotIn('none', r.json['token_endpoint_auth_signing_alg_values_supported'])
+		# OIDC Discovery 1.0 section 3 (jwks_uri) and RFC7517
+		self.assertTrue(r.json['jwks_uri'].startswith(ISSUER)) # Not a requirement by spec, but technically neccessary for this test
+		r_jwks = self.client.get(base_url=ISSUER, path=r.json['jwks_uri'][len(ISSUER):])
+		self.assertEqual(r_jwks.status_code, 200)
+		# The jwks_uri SHOULD include a Cache-Control header in the response that contains a max-age directive ...
+		self.assertIn('Cache-Control', r_jwks.headers)
+		self.assertIsInstance(r_jwks.json, dict) # also validates JSON syntax
+		self.assertIn('keys', r_jwks.json)
+		self.assertIsInstance(r_jwks.json['keys'], list)
+		has_sign_keys = False
+		has_encrypt_keys = False
+		kids = set()
+		for key in r_jwks.json['keys']:
+			self.assertIn('kty', key)
+			self.assertIsInstance(key['kty'], str)
+			if 'use' in key:
+				self.assertIsInstance(key['use'], str)
+				if key['use'] == 'sig':
+					has_sign_keys = True
+				if key['use'] == 'enc':
+					has_enc_keys = True
+			if 'key_ops' in key:
+				self.assertIsInstance(key['key_ops'], list)
+				self.assertNotIn('use', key) # SHOULD
+				for value in key['key_ops']:
+					self.assertIsInstance(value, str)
+					self.assertEqual(key['key_ops'].count(value), 1)
+				# OIDC: "The JWK Set MUST NOT contain private or symmetric key values."
+				self.assertNotIn('decrypt', key['key_ops'])
+				self.assertNotIn('sign', key['key_ops'])
+				if 'verify' in key['key_ops']:
+					has_sign_keys = True
+				if 'encrypt' in key['key_ops']:
+					has_enc_keys = True
+			if 'alg' in key:
+				self.assertIsInstance(key['alg'], str)
+			if 'kid' in key:
+				self.assertIsInstance(key['kid'], str)
+				self.assertNotIn(key['kid'], kids) # SHOULD
+				kids.add(key['kid'])
+			# ignoring everything X.509 related
+			# TODO: Validate algorithm-specific part of JWK
+		if has_sign_keys and has_encrypt_keys:
+			for key in r_jwks.json['keys']:
+				self.assertIn('use', key)
+class TestOIDCBasicProfile(UffdTestCase):
+	def setUpDB(self):
+		db.session.add(OAuth2Key(**TEST_JWK))
+		db.session.add(OAuth2Client(service=Service(name='test', limit_access=False), client_id='test', client_secret='testsecret', redirect_uris=['https://service/callback']))
+	# Helper
+	def validate_claim_syntax(self, name, value):
+		# Strip language tag
+		if '#' in name:
+			name = name.split('#')[0]
+		str_claims = ('sub', 'name', 'given_name', 'family_name', 'middle_name', 'nickname', 'preferred_username', 'profile', 'picture', 'website', 'email', 'gender', 'birthdate', 'zoneinfo', 'locale', 'phone_number', 'acr')
+		if name in str_claims:
+			self.assertIsInstance(value, str)
+		if name in ('profile', 'picture', 'website'):
+			self.assertTrue(value.lower().startswith('http'))
+		if name in ('email_verified', 'phone_number_verified'):
+			self.assertIsInstance(value, bool)
+		if name in ('updated_at', 'auth_time'):
+			self.assertTrue(isinstance(value, int) or isinstance(value, float))
+		if name == 'address':
+			self.assertIsInstance(value, dict)
+		if name == 'amr':
+			self.assertIsInstance(value, list)
+			for item in value:
+				self.assertIsInstance(item, str)
+	def validate_id_token(self, id_token, nonce='testnonce', client_id='test'):
+		headers = jwt.get_unverified_header(id_token)
+		self.assertIn('kid', headers)
+		self.assertIsInstance(headers['kid'], str)
+		# This checks signature and exp
+		data = OAuth2Key.decode_jwt(id_token, options={'verify_aud': False})
+		self.assertIn('iss', data)
+		self.assertIsInstance(data['iss'], str)
+		self.assertIn('sub', data)
+		self.assertIn('aud', data)
+		self.assertIsInstance(data['aud'], str)
+		if client_id is not None:
+			self.assertEqual(data['aud'], client_id)
+		self.assertIn('iat', data)
+		self.assertTrue(isinstance(data['iat'], int) or isinstance(data['iat'], float))
+		if 'nonce' in data:
+			self.assertIsInstance(data['nonce'], str)
+		self.assertEqual(data.get('nonce'), nonce)
+		if 'azp' in data:
+			self.assertIsInstance(data['azp'], str)
+		for name, value in data.items():
+			self.validate_claim_syntax(name, value)
+		return data
+	def is_login_page(self, location):
+		url = urlparse(location)
+		return url.netloc in ('localhost', '') and url.path == url_for('session.login')
+	def is_callback(self, location):
+		return location.startswith('https://service/callback')
+	def do_auth_request(self, client_id='test', state='teststate', nonce='testnonce', redirect_uri='https://service/callback', scope='openid', follow_redirects=True, **kwargs):
+		r = self.client.get(path=url_for('oauth2.authorize', client_id=client_id, state=state, nonce=nonce, redirect_uri=redirect_uri, scope=scope, **kwargs), follow_redirects=False)
+		while follow_redirects and r.status_code == 302 and not self.is_login_page(r.location) and not self.is_callback(r.location):
+			r = self.client.get(path=r.location, follow_redirects=False)
+		return r
+	def do_login(self, r, loginname='testuser', password='userpassword'):
+		self.assertEqual(r.status_code, 302)
+		self.assertTrue(self.is_login_page(r.location))
+		self.client.get(path=url_for('session.logout'), follow_redirects=True)
+		args = parse_qs(urlparse(r.location).query)
+		r = self.client.post(path=url_for('session.login', ref=args['ref'][0]), data={'loginname': loginname, 'password': password}, follow_redirects=False)
+		while r.status_code == 302 and not self.is_login_page(r.location) and not self.is_callback(r.location):
+			r = self.client.get(path=r.location, follow_redirects=False)
+		return r
+	def validate_auth_response(self, r, state='teststate'):
+		self.assertEqual(r.status_code, 302)
+		self.assertTrue(self.is_callback(r.location))
+		args = parse_qs(urlparse(r.location).query)
+		for key in args:
+			self.assertNotIn(key, ('error', 'error_description', 'error_uri'))
+			self.assertEqual(len(args[key]), 1) # Not generally specified, but still a good check
+		if state is not None:
+			self.assertIn('state', args)
+			self.assertEqual(args['state'], [state])
+		else:
+			self.assertNotIn('state', args)
+		return {key: values[0] for key, values in args.items()}
+	def assert_auth_error(self, r, *errors, state='teststate'):
+		self.assertEqual(r.status_code, 302)
+		self.assertTrue(self.is_callback(r.location))
+		args = parse_qs(urlparse(r.location).query)
+		for key in args:
+			self.assertIn(key, ('error', 'error_description', 'error_uri', 'state'))
+			self.assertEqual(len(args[key]), 1)
+		self.assertIn('error', args)
+		if state is not None:
+			self.assertIn('state', args)
+			self.assertEqual(args['state'][0], state)
+		else:
+			self.assertNotIn('state', args)
+		if errors:
+			self.assertIn(args['error'][0], errors)
+		self.assertRegex(args['error'][0], r'^[ -!#-\[\]-~]+$') # 1*( %x20-x21 / %x23-5B / %x5D-7E )
+		if 'error_description' in args:
+			self.assertRegex(args['error_description'][0], r'^[ -!#-\[\]-~]+$') # 1*( %x20-x21 / %x23-5B / %x5D-7E )
+		if 'error_uri' in args:
+			self.assertRegex(args['error_uri'][0], r'^[!#-\[\]-~]+$') # 1*( %x21 / %x23-5B / %x5D-7E )
+	def do_token_request(self, client_id='test', client_secret='testsecret', redirect_uri='https://service/callback', **kwargs):
+		data = {'redirect_uri': redirect_uri, 'client_id': client_id, 'client_secret': client_secret}
+		data.update(kwargs)
+		return self.client.post(path=url_for('oauth2.token'), data=data, follow_redirects=True)
+	def validate_token_response(self, r, nonce='testnonce', client_id='test'):
+		self.assertEqual(r.status_code, 200)
+		self.assertEqual(r.content_type, 'application/json')
+		self.assertIn('Cache-Control', r.headers)
+		self.assertEqual(r.headers['Cache-Control'].lower(), 'no-store')
+		for key in r.json:
+			self.assertNotIn(key, ('error', 'error_description', 'error_uri'))
+		self.assertIn('access_token', r.json)
+		self.assertIsInstance(r.json['access_token'], str)
+		self.assertIn('token_type', r.json)
+		self.assertIsInstance(r.json['token_type'], str)
+		# OIDC Core 1.0 section 3.1.3.3:
+		# > The OAuth 2.0 token_type response parameter value MUST be Bearer,
+		# > [...] unless another Token Type has been negotiated with the Client.
+		self.assertEqual(r.json['token_type'].lower(), 'bearer')
+		if 'expires_in' in r.json:
+			self.assertTrue(isinstance(r.json['expires_in'], int) or isinstance(data['expires_in'], float))
+		if 'refresh_token' in r.json:
+			self.assertIsInstance(r.json['refresh_token'], str)
+		if 'scope' in r.json:
+			self.assertIsInstance(r.json['scope'], str)
+			# scope       = scope-token *( SP scope-token )
+			# scope-token = 1*( %x21 / %x23-5B / %x5D-7E )
+			self.assertRegex(r.json['scope'], r'^[!#-\[\]-~]+( [!#-\[\]-~]+)*$')
+		# OIDC Core 1.0 section 3.1.3.3:
+		# > All Token Responses that contain tokens, secrets, or other sensitive
+		# > information MUST include the following HTTP response header fields and values:
+		# >   Cache-Control: no-store
+		self.assertIn('id_token', r.json)
+		return self.validate_id_token(r.json['id_token'], nonce=nonce, client_id=client_id)
+	def assert_token_error(self, r, *errors):
+		self.assertEqual(r.content_type, 'application/json')
+		if r.json.get('error', '') == 'invalid_client':
+			self.assertEqual(r.status_code, 401)
+		else:
+			self.assertEqual(r.status_code, 400)
+		for key in r.json:
+			self.assertIn(key, ('error', 'error_description', 'error_uri'))
+		self.assertIn('error', r.json)
+		if errors:
+			self.assertIn(r.json['error'], errors)
+		self.assertRegex(r.json['error'], r'^[ -!#-\[\]-~]+$') # 1*( %x20-x21 / %x23-5B / %x5D-7E )
+		if 'error_description' in r.json:
+			self.assertRegex(r.json['error_description'], r'^[ -!#-\[\]-~]+$') # 1*( %x20-x21 / %x23-5B / %x5D-7E )
+		if 'error_uri' in r.json:
+			self.assertRegex(r.json['error_uri'], r'^[!#-\[\]-~]+$') # 1*( %x21 / %x23-5B / %x5D-7E )
+	def do_userinfo_request(self, access_token):
+		return self.client.get(path=url_for('oauth2.userinfo'), headers=[('Authorization', 'Bearer %s'%access_token)], follow_redirects=True)
+	def validate_userinfo_response(self, r):
+		self.assertEqual(r.status_code, 200)
+		# We ignore everything related to encrypted/signed JWT userinfo here
+		self.assertEqual(r.content_type, 'application/json')
+		self.assertIn('sub', r.json)
+		for name, value in r.json.items():
+			self.validate_claim_syntax(name, value)
+	def assert_userinfo_error(self, r):
+		self.assertEqual(r.status_code, 401)
+		self.assertEqual(len(r.headers.getlist('WWW-Authenticate')), 1)
+		method, args = (r.headers['WWW-Authenticate'].split(' ', 1) + [''])[:2]
+		args = {item.split('=', 1)[0]: item.split('=', 1)[1].strip(' \n"') for item in args.split(',') if item.strip()}
+		if 'scope' in args:
+			self.assertRegex(args['scope'], r'^[ -!#-\[\]-~]+$') # 1*( %x20-x21 / %x23-5B / %x5D-7E )
+		if 'error' in args:
+			self.assertRegex(args['error'], r'^[ -!#-\[\]-~]+$') # 1*( %x20-x21 / %x23-5B / %x5D-7E )
+		if 'error_description' in args:
+			self.assertRegex(args['error_description'], r'^[ -!#-\[\]-~]+$') # 1*( %x20-x21 / %x23-5B / %x5D-7E )
+	def test(self):
+		self.login_as('user')
+		r = self.do_auth_request(response_type='code')
+		args = self.validate_auth_response(r)
+		r = self.do_token_request(grant_type='authorization_code', code=args['code'])
+		id_token = self.validate_token_response(r)
+		self.assertEqual(id_token['sub'], '10000')
+		r = self.do_userinfo_request(r.json['access_token'])
+		self.validate_userinfo_response(r)
+		self.assertEqual(r.json['sub'], '10000')
+	def test_notloggedin(self):
+		r = self.do_auth_request(response_type='code')
+		r = self.do_login(r)
+		args = self.validate_auth_response(r)
+		r = self.do_token_request(grant_type='authorization_code', code=args['code'])
+		id_token = self.validate_token_response(r)
+		self.assertEqual(id_token['sub'], '10000')
+	def test_no_state(self):
+		self.login_as('user')
+		r = self.do_auth_request(response_type='code', state=None)
+		args = self.validate_auth_response(r, state=None)
+		r = self.do_token_request(grant_type='authorization_code', code=args['code'])
+		id_token = self.validate_token_response(r)
+		self.assertEqual(id_token['sub'], '10000')
+	def test_no_nonce(self):
+		self.login_as('user')
+		r = self.do_auth_request(response_type='code', nonce=None)
+		args = self.validate_auth_response(r)
+		r = self.do_token_request(grant_type='authorization_code', code=args['code'])
+		id_token = self.validate_token_response(r, nonce=None)
+		self.assertEqual(id_token['sub'], '10000')
+	def test_redirect_uri(self):
+		self.login_as('user')
+		# No redirect_uri in auth request is fine if there is only one uri registered
+		r = self.do_auth_request(response_type='code', redirect_uri=None)
+		args = self.validate_auth_response(r)
+		r = self.do_token_request(grant_type='authorization_code', code=args['code'], redirect_uri=None)
+		id_token = self.validate_token_response(r)
+		self.assertEqual(id_token['sub'], '10000')
+		# If auth request has redirect_uri, it is required in token request
+		r = self.do_auth_request(response_type='code')
+		args = self.validate_auth_response(r)
+		r = self.do_token_request(grant_type='authorization_code', code=args['code'], redirect_uri=None)
+		self.assert_token_error(r)
+		# If auth request has redirect_uri, it the redirect_uri in the token request must be the same
+		r = self.do_auth_request(response_type='code')
+		args = self.validate_auth_response(r)
+		r = self.do_token_request(grant_type='authorization_code', code=args['code'], redirect_uri='https://foobar/callback')
+		self.assert_token_error(r)
+		# Invalid redirect_uri
+		r = self.do_auth_request(response_type='code', redirect_uri='http://foobar/callback')
+		self.assertEqual(r.status_code, 400) # No redirect!
+		# redirect_uri is required in auth request if there is more than a single uri registered
+		client = OAuth2Client.query.one()
+		client.redirect_uris.append('https://service/callback2')
+		db.session.commit()
+		r = self.do_auth_request(response_type='code', redirect_uri=None)
+		self.assertEqual(r.status_code, 400) # No redirect!
+	def test_auth_errors(self):
+		# Missing response_type
+		r = self.do_auth_request()
+		self.assert_auth_error(r, 'invalid_request')
+		# Invalid response_type
+		r = self.do_auth_request(response_type='foobar')
+		self.assert_auth_error(r, 'unsupported_response_type')
+		# Missing client_id
+		r = self.do_auth_request(response_type='code', client_id=None)
+		self.assertEqual(r.status_code, 400) # No redirect!
+		# Invalid client_id
+		r = self.do_auth_request(response_type='code', client_id='foobar')
+		self.assertEqual(r.status_code, 400) # No redirect!
+		# Duplicate parameter
+		r = self.do_auth_request(response_type='code', client_id=['test', 'foobar'])
+		self.assertEqual(r.status_code, 400) # No redirect!
+	def test_access_denied(self):
+		Service.query.one().limit_access = True
+		db.session.commit()
+		self.login_as('user')
+		r = self.do_auth_request(response_type='code')
+		self.assert_auth_error(r, 'access_denied')
+	def test_auth_request_uri(self):
+		self.login_as('user')
+		r = self.do_auth_request(response_type='code', request_uri='https://localhost/myrequest_uri')
+		self.assert_auth_error(r, 'request_uri_not_supported')
+	def test_auth_request_unsigned(self):
+		self.login_as('user')
+		request_params = {
+			'response_type': 'code',
+			'client_id': 'test',
+			'redirect_uri': 'http://service/callback',
+			'scope': 'openid',
+			'state': 'teststate',
+			'nonce': 'testnonce',
+			'claims': {
+				'userinfo': {
+					'name': None,
+					'email': {'essential': True},
+					'email_verified': {'essential': True},
+				},
+				'id_token': {
+					'email': None,
+				}
+			}
+		}
+		r = self.do_auth_request(response_type='code', request=jwt.encode(request_params, algorithm='none', key=None))
+		self.assert_auth_error(r, 'request_not_supported')
+	def test_token_client_auth(self):
+		self.login_as('user')
+		# Auth via body -> ACCEPT
+		r = self.do_auth_request(response_type='code')
+		args = self.validate_auth_response(r)
+		r = self.do_token_request(grant_type='authorization_code', code=args['code'])
+		self.validate_token_response(r)
+		# Auth via header -> ACCEPT
+		r = self.do_auth_request(response_type='code')
+		args = self.validate_auth_response(r)
+		r = self.client.post(
+			path=url_for('oauth2.token'),
+			data={'redirect_uri': 'https://service/callback', 'grant_type': 'authorization_code', 'code': args['code']},
+			headers={'Authorization': f'Basic dGVzdDp0ZXN0c2VjcmV0'},
+			follow_redirects=True,
+		)
+		self.validate_token_response(r)
+		# Auth via header, but same client id also in body -> ACCEPT
+		r = self.do_auth_request(response_type='code')
+		args = self.validate_auth_response(r)
+		r = self.client.post(
+			path=url_for('oauth2.token'),
+			data={'redirect_uri': 'https://service/callback', 'grant_type': 'authorization_code', 'client_id': 'test', 'code': args['code']},
+			headers={'Authorization': f'Basic dGVzdDp0ZXN0c2VjcmV0'},
+			follow_redirects=True,
+		)
+		self.validate_token_response(r)
+		# Different client id in body and header -> REJECT
+		r = self.do_auth_request(response_type='code')
+		args = self.validate_auth_response(r)
+		r = self.client.post(
+			path=url_for('oauth2.token'),
+			data={'redirect_uri': 'https://service/callback', 'grant_type': 'authorization_code', 'client_id': 'XXXX', 'code': args['code']},
+			headers={'Authorization': f'Basic dGVzdDp0ZXN0c2VjcmV0'},
+			follow_redirects=True,
+		)
+		self.assert_token_error(r, 'invalid_request')
+		# Duplicate client id in body -> REJECT
+		r = self.do_auth_request(response_type='code')
+		args = self.validate_auth_response(r)
+		r = self.do_token_request(grant_type='authorization_code', code=args['code'], client_id=['test', 'XXXX'])
+		self.assert_token_error(r, 'invalid_request')
+		# Duplicate client secret in body -> REJECT
+		r = self.do_auth_request(response_type='code')
+		args = self.validate_auth_response(r)
+		r = self.do_token_request(grant_type='authorization_code', code=args['code'], client_secret=['testsecret', 'XXXXX'])
+		self.assert_token_error(r, 'invalid_request')
+		# Client secret in body and header -> REJECT
+		r = self.do_auth_request(response_type='code')
+		args = self.validate_auth_response(r)
+		r = self.client.post(
+			path=url_for('oauth2.token'),
+			data={'redirect_uri': 'https://service/callback', 'grant_type': 'authorization_code', 'client_id': 'test', 'client_secret': 'testsecret', 'code': args['code']},
+			headers={'Authorization': f'Basic dGVzdDp0ZXN0c2VjcmV0'},
+			follow_redirects=True,
+		)
+		self.assert_token_error(r, 'invalid_request')
+		# No secret -> REJECT
+		r = self.do_auth_request(response_type='code')
+		args = self.validate_auth_response(r)
+		r = self.do_token_request(grant_type='authorization_code', code=args['code'], client_secret=None)
+		self.assert_token_error(r, 'invalid_client')
+		# No client id but secret -> REJECT
+		r = self.do_auth_request(response_type='code')
+		args = self.validate_auth_response(r)
+		r = self.do_token_request(grant_type='authorization_code', code=args['code'], client_id=None)
+		self.assert_token_error(r, 'invalid_client')
+		# No client id and no secret -> REJECT
+		r = self.do_auth_request(response_type='code')
+		args = self.validate_auth_response(r)
+		r = self.do_token_request(grant_type='authorization_code', code=args['code'], client_id=None, client_secret=None)
+		self.assert_token_error(r, 'invalid_client')
+		# Unknown client id -> REJECT
+		r = self.do_auth_request(response_type='code')
+		args = self.validate_auth_response(r)
+		r = self.do_token_request(grant_type='authorization_code', code=args['code'], client_id='XXXX')
+		self.assert_token_error(r, 'invalid_client')
+	def test_token_errors(self):
+		self.login_as('user')
+		# Missing grant_type parameter
+		r = self.do_auth_request(response_type='code')
+		args = self.validate_auth_response(r)
+		r = self.do_token_request(code=args['code'])
+		self.assert_token_error(r, 'invalid_request')
+		# Missing code parameter
+		r = self.do_auth_request(response_type='code')
+		args = self.validate_auth_response(r)
+		r = self.do_token_request(grant_type='authorization_code')
+		self.assert_token_error(r, 'invalid_request')
+		# redirect_uri behaviour is already tested in test_redirect_uri
+		# Invalid grant type
+		r = self.do_auth_request(response_type='code')
+		args = self.validate_auth_response(r)
+		r = self.do_token_request(grant_type='foobar', code=args['code'])
+		self.assert_token_error(r, 'unsupported_grant_type')
+		# Duplicate code parameter
+		r = self.do_auth_request(response_type='code')
+		args = self.validate_auth_response(r)
+		r = self.do_token_request(grant_type='authorization_code', code=[args['code'], 'XXXXX'])
+		self.assert_token_error(r, 'invalid_request')
+		# Invalid code parameter
+		r = self.do_auth_request(response_type='code')
+		args = self.validate_auth_response(r)
+		r = self.do_token_request(grant_type='authorization_code', code='XXXXX')
+		self.assert_token_error(r, 'invalid_grant')
+		# Invalid code parameter
+		r = self.do_auth_request(response_type='code')
+		args = self.validate_auth_response(r)
+		r = self.do_token_request(grant_type='authorization_code', code=args['code'].split('-')[0]+'-XXXXX')
+		self.assert_token_error(r, 'invalid_grant')
+		# Code was issued to different client
+		db.session.add(OAuth2Client(service=Service(name='test2', limit_access=False), client_id='test2', client_secret='testsecret2', redirect_uris=['https://service2/callback']))
+		db.session.commit()
+		r = self.do_auth_request(response_type='code')
+		args = self.validate_auth_response(r)
+		r = self.do_token_request(grant_type='authorization_code', code=args['code'], client_id='test2', client_secret='testsecret2')
+		self.assert_token_error(r, 'invalid_grant')
+	def test_userinfo_auth(self):
+		self.login_as('user')
+		r = self.do_auth_request(response_type='code')
+		args = self.validate_auth_response(r)
+		r = self.do_token_request(grant_type='authorization_code', code=args['code'])
+		self.validate_token_response(r)
+		access_token = r.json['access_token']
+		# GET + Bearer
+		r = self.client.get(path=url_for('oauth2.userinfo'), headers=[('Authorization', 'Bearer %s'%access_token)], follow_redirects=True)
+		self.validate_userinfo_response(r)
+		self.assertEqual(r.json['sub'], '10000')
+		# POST + Bearer
+		r = self.client.post(path=url_for('oauth2.userinfo'), headers=[('Authorization', 'Bearer %s'%access_token)], follow_redirects=True)
+		self.validate_userinfo_response(r)
+		self.assertEqual(r.json['sub'], '10000')
+		# "Bearer" is case-insensitive
+		r = self.client.post(path=url_for('oauth2.userinfo'), headers=[('authorization', 'bearer %s'%access_token)], follow_redirects=True)
+		self.validate_userinfo_response(r)
+		self.assertEqual(r.json['sub'], '10000')
+		# Invalid auth scheme
+		r = self.client.post(path=url_for('oauth2.userinfo'), headers=[('Authorization', 'Basic dGVzdDp0ZXN0c2VjcmV0')], follow_redirects=True)
+		self.assert_userinfo_error(r)
+		# Invalid bearer token
+		r = self.client.post(path=url_for('oauth2.userinfo'), headers=[('Authorization', 'Bearer %s-XXXXX'%access_token.split('-')[0])], follow_redirects=True)
+		self.assert_userinfo_error(r)
+		r = self.client.post(path=url_for('oauth2.userinfo'), headers=[('Authorization', 'Bearer XXXXX')], follow_redirects=True)
+		self.assert_userinfo_error(r)
+		# POST + body
+		r = self.client.post(path=url_for('oauth2.userinfo'), data={'access_token': access_token}, follow_redirects=True)
+		self.validate_userinfo_response(r)
+		self.assertEqual(r.json['sub'], '10000')
+		# GET + query
+		r = self.client.get(path=url_for('oauth2.userinfo', access_token=access_token), follow_redirects=True)
+		self.validate_userinfo_response(r)
+		self.assertEqual(r.json['sub'], '10000')
+		# POST + Bearer + body -> REJECT
+		r = self.client.post(path=url_for('oauth2.userinfo'), data={'access_token': access_token}, headers=[('Authorization', 'Bearer %s'%access_token)], follow_redirects=True)
+		self.assert_userinfo_error(r)
+		# No auth -> REJECT
+		r = self.client.post(path=url_for('oauth2.userinfo'), follow_redirects=True)
+		self.assert_userinfo_error(r)
+	def test_scope(self):
+		self.login_as('user')
+		# Scope values used that are not understood by an implementation SHOULD be ignored.
+		r = self.do_auth_request(response_type='code', scope='openid profile email address phone groups foobar')
+		args = self.validate_auth_response(r)
+		r = self.do_token_request(grant_type='authorization_code', code=args['code'])
+		id_token = self.validate_token_response(r)
+		self.assertEqual(id_token['sub'], '10000')
+		r = self.do_userinfo_request(r.json['access_token'])
+		self.validate_userinfo_response(r)
+		self.assertEqual(r.json['sub'], '10000')
+		self.assertEqual(r.json['name'], 'Test User')
+		self.assertEqual(r.json['preferred_username'], 'testuser')
+		self.assertEqual(r.json['email'], 'test@example.com')
+		self.assertEqual(sorted(r.json['groups']), sorted(['users', 'uffd_access']))
+	def test_claims(self):
+		self.login_as('user')
+		# Scope values used that are not understood by an implementation SHOULD be ignored.
+		r = self.do_auth_request(response_type='code', claims='{"userinfo": {"name": {"essential": true}}, "id_token": {"preferred_username": {"essential": true}, "email": null}}')
+		args = self.validate_auth_response(r)
+		r = self.do_token_request(grant_type='authorization_code', code=args['code'])
+		id_token = self.validate_token_response(r)
+		self.assertEqual(id_token['sub'], '10000')
+		self.assertEqual(id_token['preferred_username'], 'testuser')
+		self.assertEqual(id_token['email'], 'test@example.com')
+		self.assertNotIn('name', r.json)
+		r = self.do_userinfo_request(r.json['access_token'])
+		self.validate_userinfo_response(r)
+		self.assertEqual(r.json['sub'], '10000')
+		self.assertEqual(r.json['name'], 'Test User')
+		self.assertNotIn('email', r.json)
+	def test_prompt_none(self):
+		r = self.do_auth_request(response_type='code', prompt='none')
+		self.assert_auth_error(r, 'login_required')
+		self.login_as('user')
+		r = self.do_auth_request(response_type='code', prompt='none')
+		args = self.validate_auth_response(r)
+		self.assertIn('code', args)
+		# OIDC Core 1.0 section 3.1.2.1.:
+		# > If this parameter contains none with any other value, an error is returned.
+		r = self.do_auth_request(response_type='code', prompt='none login')
+		self.assert_auth_error(r)
+	@unittest.skip('prompt=login is not implemented') # MUST
+	def test_prompt_login(self):
+		self.login_as('user')
+		r = self.do_auth_request(response_type='code')
+		args = self.validate_auth_response(r)
+		self.assertIn('code', args)
+		r = self.do_auth_request(response_type='code', prompt='login')
+		self.assertEqual(r.status_code, 302)
+		self.assertTrue(self.is_login_page(r.location))
+	# TODO: max_age
+	def test_sub_value(self):
+		# Via id_token_hint or claims.id_token.sub.value
+		self.login_as('user')
+		r = self.do_auth_request(response_type='code', prompt='none')
+		args = self.validate_auth_response(r)
+		r = self.do_token_request(grant_type='authorization_code', code=args['code'])
+		self.validate_token_response(r)
+		id_token = r.json['id_token']
+		r = self.do_auth_request(response_type='code', prompt='none', id_token_hint=id_token)
+		args = self.validate_auth_response(r)
+		self.assertIn('code', args)
+		r = self.do_auth_request(response_type='code', prompt='none', id_token_hint='XXXXX')
+		self.assert_auth_error(r, 'invalid_request')
+		r = self.do_auth_request(response_type='code', prompt='none', claims='{"id_token": {"sub": {"value": "10000"}}}')
+		args = self.validate_auth_response(r)
+		r = self.do_auth_request(response_type='code', prompt='none', claims='{"id_token": {"sub": {"value": "10001"}}}')
+		self.assert_auth_error(r, 'login_required')
+		# sub value in id_token_hint and claims is the same -> Not ambiguous
+		r = self.do_auth_request(response_type='code', prompt='none', id_token_hint=id_token, claims='{"id_token": {"sub": {"value": "10000"}}}')
+		args = self.validate_auth_response(r)
+		self.assertIn('code', args)
+		# sub value in id_token_hint and claims differs -> Ambiguous
+		r = self.do_auth_request(response_type='code', prompt='none', id_token_hint=id_token, claims='{"id_token": {"sub": {"value": "10001"}}}')
+		self.assert_auth_error(r, 'invalid_request')
+		self.login_as('admin')
+		r = self.do_auth_request(response_type='code', prompt='none', id_token_hint=id_token)
+		self.assert_auth_error(r, 'login_required')
+	def test_code_reuse(self):
+		self.login_as('user')
+		r = self.do_auth_request(response_type='code')
+		args = self.validate_auth_response(r)
+		r1 = self.do_token_request(grant_type='authorization_code', code=args['code'])
+		self.validate_token_response(r1)
+		r2 = self.do_token_request(grant_type='authorization_code', code=args['code'])
+		self.assert_token_error(r2, 'invalid_grant')
+	@unittest.skip('Token revoking on reuse is not implemented') # SHOULD
+	def test_code_reuse_revoke(self):
+		self.login_as('user')
+		r = self.do_auth_request(response_type='code')
+		args = self.validate_auth_response(r)
+		r1 = self.do_token_request(grant_type='authorization_code', code=args['code'])
+		self.validate_token_response(r1)
+		r2 = self.do_token_request(grant_type='authorization_code', code=args['code'])
+		self.assert_token_error(r2, 'invalid_grant')
+		r = self.do_userinfo_request(r1.json['access_token'])
+		self.assert_userinfo_error(r)
--- a/tests/views/test_role.py
+++ b/tests/views/test_role.py
+from flask import url_for
+from uffd.database import db
+from uffd.models import User, Role, RoleGroup
+from tests.utils import dump, UffdTestCase
+class TestRoleViews(UffdTestCase):
+	def setUp(self):
+		super().setUp()
+		self.login_as('admin')
+	def test_index(self):
+		db.session.add(Role(name='base', description='Base role description'))
+		db.session.add(Role(name='test1', description='Test1 role description'))
+		db.session.commit()
+		r = self.client.get(path=url_for('role.index'), follow_redirects=True)
+		dump('role_index', r)
+		self.assertEqual(r.status_code, 200)
+	def test_index_empty(self):
+		r = self.client.get(path=url_for('role.index'), follow_redirects=True)
+		dump('role_index_empty', r)
+		self.assertEqual(r.status_code, 200)
+	def test_show(self):
+		role = Role(name='base', description='Base role description')
+		db.session.add(role)
+		db.session.commit()
+		r = self.client.get(path=url_for('role.show', roleid=role.id), follow_redirects=True)
+		dump('role_show', r)
+		self.assertEqual(r.status_code, 200)
+	def test_new(self):
+		r = self.client.get(path=url_for('role.new'), follow_redirects=True)
+		dump('role_new', r)
+		self.assertEqual(r.status_code, 200)
+	def test_update(self):
+		role = Role(name='base', description='Base role description')
+		db.session.add(role)
+		db.session.commit()
+		role.groups[self.get_admin_group()] = RoleGroup()
+		db.session.commit()
+		self.assertEqual(role.name, 'base')
+		self.assertEqual(role.description, 'Base role description')
+		self.assertSetEqual(set(role.groups), {self.get_admin_group()})
+		r = self.client.post(path=url_for('role.update', roleid=role.id),
+			data={'name': 'base1', 'description': 'Base role description1', 'moderator-group': '', 'group-%d'%self.get_users_group().id: '1', 'group-%d'%self.get_access_group().id: '1'},
+			follow_redirects=True)
+		dump('role_update', r)
+		self.assertEqual(r.status_code, 200)
+		role = Role.query.get(role.id)
+		self.assertEqual(role.name, 'base1')
+		self.assertEqual(role.description, 'Base role description1')
+		self.assertSetEqual(set(role.groups), {self.get_access_group(), self.get_users_group()})
+		# TODO: verify that group memberships are updated
+	def test_create(self):
+		self.assertIsNone(Role.query.filter_by(name='base').first())
+		r = self.client.post(path=url_for('role.update'),
+			data={'name': 'base', 'description': 'Base role description', 'moderator-group': '', 'group-%d'%self.get_users_group().id: '1', 'group-%d'%self.get_access_group().id: '1'},
+			follow_redirects=True)
+		dump('role_create', r)
+		self.assertEqual(r.status_code, 200)
+		role = Role.query.filter_by(name='base').first()
+		self.assertIsNotNone(role)
+		self.assertEqual(role.name, 'base')
+		self.assertEqual(role.description, 'Base role description')
+		self.assertSetEqual(set(role.groups), {self.get_access_group(), self.get_users_group()})
+		# TODO: verify that group memberships are updated (currently not possible with ldap mock!)
+	def test_create_with_moderator_group(self):
+		self.assertIsNone(Role.query.filter_by(name='base').first())
+		r = self.client.post(path=url_for('role.update'),
+			data={'name': 'base', 'description': 'Base role description', 'moderator-group': self.get_admin_group().id, 'group-%d'%self.get_users_group().id: '1', 'group-%d'%self.get_access_group().id: '1'},
+			follow_redirects=True)
+		self.assertEqual(r.status_code, 200)
+		role = Role.query.filter_by(name='base').first()
+		self.assertIsNotNone(role)
+		self.assertEqual(role.name, 'base')
+		self.assertEqual(role.description, 'Base role description')
+		self.assertEqual(role.moderator_group.name, 'uffd_admin')
+		self.assertSetEqual(set(role.groups), {self.get_access_group(), self.get_users_group()})
+		# TODO: verify that group memberships are updated (currently not possible with ldap mock!)
+	def test_delete(self):
+		role = Role(name='base', description='Base role description')
+		db.session.add(role)
+		db.session.commit()
+		role_id = role.id
+		self.assertIsNotNone(Role.query.get(role_id))
+		r = self.client.get(path=url_for('role.delete', roleid=role.id), follow_redirects=True)
+		dump('role_delete', r)
+		self.assertEqual(r.status_code, 200)
+		self.assertIsNone(Role.query.get(role_id))
+		# TODO: verify that group memberships are updated (currently not possible with ldap mock!)
+	def test_set_default(self):
+		db.session.add(User(loginname='service', is_service_user=True, primary_email_address='service@example.com', displayname='Service'))
+		db.session.commit()
+		role = Role(name='test')
+		db.session.add(role)
+		role.groups[self.get_admin_group()] = RoleGroup()
+		user1 = self.get_user()
+		user2 = self.get_admin()
+		service_user = User.query.filter_by(loginname='service').one_or_none()
+		self.assertSetEqual(set(self.get_user().roles_effective), set())
+		self.assertSetEqual(set(self.get_admin().roles_effective), set())
+		self.assertSetEqual(set(service_user.roles_effective), set())
+		role.members.append(self.get_user())
+		role.members.append(service_user)
+		self.assertSetEqual(set(self.get_user().roles_effective), {role})
+		self.assertSetEqual(set(self.get_admin().roles_effective), set())
+		self.assertSetEqual(set(service_user.roles_effective), {role})
+		db.session.commit()
+		role_id = role.id
+		self.assertSetEqual(set(role.members), {self.get_user(), service_user})
+		r = self.client.get(path=url_for('role.set_default', roleid=role.id), follow_redirects=True)
+		dump('role_set_default', r)
+		self.assertEqual(r.status_code, 200)
+		role = Role.query.get(role_id)
+		service_user = User.query.filter_by(loginname='service').one_or_none()
+		self.assertSetEqual(set(role.members), {service_user})
+		self.assertSetEqual(set(self.get_user().roles_effective), {role})
+		self.assertSetEqual(set(self.get_admin().roles_effective), {role})
+	def test_unset_default(self):
+		admin_role = Role(name='admin', is_default=True)
+		db.session.add(admin_role)
+		admin_role.groups[self.get_admin_group()] = RoleGroup()
+		db.session.add(User(loginname='service', is_service_user=True, primary_email_address='service@example.com', displayname='Service'))
+		db.session.commit()
+		role = Role(name='test', is_default=True)
+		db.session.add(role)
+		service_user = User.query.filter_by(loginname='service').one_or_none()
+		role.members.append(service_user)
+		self.assertSetEqual(set(self.get_user().roles_effective), {role, admin_role})
+		self.assertSetEqual(set(self.get_admin().roles_effective), {role, admin_role})
+		self.assertSetEqual(set(service_user.roles_effective), {role})
+		db.session.commit()
+		role_id = role.id
+		admin_role_id = admin_role.id
+		self.assertSetEqual(set(role.members), {service_user})
+		r = self.client.get(path=url_for('role.unset_default', roleid=role.id), follow_redirects=True)
+		dump('role_unset_default', r)
+		self.assertEqual(r.status_code, 200)
+		role = Role.query.get(role_id)
+		admin_role = Role.query.get(admin_role_id)
+		service_user = User.query.filter_by(loginname='service').one_or_none()
+		self.assertSetEqual(set(role.members), {service_user})
+		self.assertSetEqual(set(self.get_user().roles_effective), {admin_role})
+		self.assertSetEqual(set(self.get_admin().roles_effective), {admin_role})
--- a/tests/test_rolemod.py
+++ b/tests/test_rolemod.py
 from flask import url_for
-from uffd.user.models import User, Group
-from uffd.role.models import Role, RoleGroup
 from uffd.database import db
+from uffd.models import Role, RoleGroup
-from utils import dump, UffdTestCase
+from tests.utils import dump, UffdTestCase
 class TestRolemodViewsLoggedOut(UffdTestCase):
 	def test_acl_nologin(self):

--- a/tests/views/test_selfservice.py
+++ b/tests/views/test_selfservice.py
+import datetime
+import re
+import time
+from flask import url_for, request, session
+from uffd.database import db
+from uffd.models import PasswordToken, UserEmail, Role, RoleGroup, Service, ServiceUser, FeatureFlag, MFAMethod, RecoveryCodeMethod, TOTPMethod, WebauthnMethod
+from uffd.models.mfa import _hotp
+from tests.utils import dump, UffdTestCase, db_flush
+class TestSelfservice(UffdTestCase):
+	def test_index(self):
+		self.login_as('user')
+		r = self.client.get(path=url_for('selfservice.index'))
+		dump('selfservice_index', r)
+		self.assertEqual(r.status_code, 200)
+		user = request.user
+		self.assertIn(user.displayname.encode(), r.data)
+		self.assertIn(user.loginname.encode(), r.data)
+		self.assertIn(user.primary_email.address.encode(), r.data)
+	def test_update_displayname(self):
+		self.login_as('user')
+		r = self.client.post(path=url_for('selfservice.update_profile'),
+			data={'displayname': 'New Display Name'},
+			follow_redirects=True)
+		dump('update_displayname', r)
+		self.assertEqual(r.status_code, 200)
+		user = self.get_user()
+		self.assertEqual(user.displayname, 'New Display Name')
+	def test_update_displayname_invalid(self):
+		self.login_as('user')
+		r = self.client.post(path=url_for('selfservice.update_profile'),
+			data={'displayname': ''},
+			follow_redirects=True)
+		dump('update_displayname_invalid', r)
+		self.assertEqual(r.status_code, 200)
+		user = self.get_user()
+		self.assertNotEqual(user.displayname, '')
+	def test_add_email(self):
+		self.login_as('user')
+		r = self.client.post(path=url_for('selfservice.add_email'),
+			data={'address': 'new@example.com'},
+			follow_redirects=True)
+		dump('selfservice_add_email', r)
+		self.assertEqual(r.status_code, 200)
+		self.assertIn('new@example.com', self.app.last_mail['To'])
+		m = re.search(r'/email/([0-9]+)/verify/(.*)', str(self.app.last_mail.get_content()))
+		email_id, secret = m.groups()
+		email = UserEmail.query.get(email_id)
+		self.assertEqual(email.user.id, request.user.id)
+		self.assertEqual(email.address, 'new@example.com')
+		self.assertFalse(email.verified)
+		self.assertFalse(email.verification_expired)
+		self.assertTrue(email.verification_secret.verify(secret))
+	def test_add_email_duplicate(self):
+		self.login_as('user')
+		r = self.client.post(path=url_for('selfservice.add_email'),
+			data={'address': 'test@example.com'},
+			follow_redirects=True)
+		dump('selfservice_add_email_duplicate', r)
+		self.assertFalse(hasattr(self.app, 'last_mail'))
+		self.assertEqual(len(self.get_user().all_emails), 1)
+		self.assertEqual(UserEmail.query.filter_by(user=None).all(), [])
+	def test_verify_email(self):
+		self.login_as('user')
+		email = UserEmail(user=self.get_user(), address='new@example.com')
+		secret = email.start_verification()
+		db.session.add(email)
+		db.session.commit()
+		email_id = email.id
+		r = self.client.get(path=url_for('selfservice.verify_email', email_id=email_id, secret=secret), follow_redirects=True)
+		dump('selfservice_verify_email', r)
+		self.assertEqual(r.status_code, 200)
+		email = UserEmail.query.get(email_id)
+		self.assertTrue(email.verified)
+		self.assertEqual(self.get_user().primary_email.address, 'test@example.com')
+	def test_verify_email_notfound(self):
+		self.login_as('user')
+		r = self.client.get(path=url_for('selfservice.verify_email', email_id=2342, secret='invalidsecret'), follow_redirects=True)
+		dump('selfservice_verify_email_notfound', r)
+	def test_verify_email_wrong_user(self):
+		self.login_as('user')
+		email = UserEmail(user=self.get_admin(), address='new@example.com')
+		secret = email.start_verification()
+		db.session.add(email)
+		db.session.commit()
+		r = self.client.get(path=url_for('selfservice.verify_email', email_id=email.id, secret=secret), follow_redirects=True)
+		dump('selfservice_verify_email_wrong_user', r)
+		self.assertFalse(email.verified)
+	def test_verify_email_wrong_secret(self):
+		self.login_as('user')
+		email = UserEmail(user=self.get_user(), address='new@example.com')
+		secret = email.start_verification()
+		db.session.add(email)
+		db.session.commit()
+		r = self.client.get(path=url_for('selfservice.verify_email', email_id=email.id, secret='invalidsecret'), follow_redirects=True)
+		dump('selfservice_verify_email_wrong_secret', r)
+		self.assertFalse(email.verified)
+	def test_verify_email_expired(self):
+		self.login_as('user')
+		email = UserEmail(user=self.get_user(), address='new@example.com')
+		secret = email.start_verification()
+		email.verification_expires = datetime.datetime.utcnow() - datetime.timedelta(days=1)
+		db.session.add(email)
+		db.session.commit()
+		r = self.client.get(path=url_for('selfservice.verify_email', email_id=email.id, secret=secret), follow_redirects=True)
+		dump('selfservice_verify_email_expired', r)
+		self.assertFalse(email.verified)
+	def test_verify_email_legacy(self):
+		self.login_as('user')
+		email = UserEmail(
+			user=self.get_user(),
+			address='new@example.com',
+			verification_legacy_id=1337,
+			_verification_secret='{PLAIN}ZgvsUs2bZjr9Whpy1la7Q0PHbhjmpXtNdH1mCmDbQP7',
+			verification_expires=datetime.datetime.utcnow()+datetime.timedelta(days=1)
+		)
+		db.session.add(email)
+		db.session.commit()
+		email_id = email.id
+		r = self.client.get(path=f'/self/token/mail_verification/1337/ZgvsUs2bZjr9Whpy1la7Q0PHbhjmpXtNdH1mCmDbQP7', follow_redirects=True)
+		dump('selfservice_verify_email_legacy', r)
+		self.assertEqual(r.status_code, 200)
+		email = UserEmail.query.get(email_id)
+		self.assertTrue(email.verified)
+		self.assertEqual(self.get_user().primary_email, email)
+	def test_verify_email_duplicate_strict_uniqueness(self):
+		FeatureFlag.unique_email_addresses.enable()
+		db.session.commit()
+		self.login_as('user')
+		email = UserEmail(user=self.get_user(), address='admin@example.com')
+		secret = email.start_verification()
+		db.session.add(email)
+		db.session.commit()
+		email_id = email.id
+		r = self.client.get(path=url_for('selfservice.verify_email', email_id=email.id, secret=secret), follow_redirects=True)
+		dump('selfservice_verify_email_duplicate_strict_uniqueness', r)
+		email = UserEmail.query.get(email_id)
+		self.assertFalse(email.verified)
+	def test_retry_email_verification(self):
+		self.login_as('user')
+		email = UserEmail(user=self.get_user(), address='new@example.com')
+		old_secret = email.start_verification()
+		db.session.add(email)
+		db.session.commit()
+		r = self.client.get(path=url_for('selfservice.retry_email_verification', email_id=email.id), follow_redirects=True)
+		dump('selfservice_retry_email_verification', r)
+		self.assertEqual(r.status_code, 200)
+		self.assertIn('new@example.com', self.app.last_mail['To'])
+		m = re.search(r'/email/([0-9]+)/verify/(.*)', str(self.app.last_mail.get_content()))
+		email_id, secret = m.groups()
+		email = UserEmail.query.get(email_id)
+		self.assertEqual(email.user.id, request.user.id)
+		self.assertEqual(email.address, 'new@example.com')
+		self.assertFalse(email.verified)
+		self.assertFalse(email.verification_expired)
+		self.assertTrue(email.verification_secret.verify(secret))
+		self.assertFalse(email.verification_secret.verify(old_secret))
+	def test_delete_email(self):
+		self.login_as('user')
+		email = UserEmail(user=self.get_user(), address='new@example.com', verified=True)
+		db.session.add(email)
+		self.get_user().recovery_email = email
+		db.session.commit()
+		r = self.client.post(path=url_for('selfservice.delete_email', email_id=email.id), follow_redirects=True)
+		dump('selfservice_delete_email', r)
+		self.assertEqual(r.status_code, 200)
+		self.assertIsNone(UserEmail.query.filter_by(address='new@example.com').first())
+		self.assertIsNone(self.get_user().recovery_email)
+		self.assertEqual(self.get_user().primary_email.address, 'test@example.com')
+	def test_delete_email_invalid(self):
+		self.login_as('user')
+		r = self.client.post(path=url_for('selfservice.delete_email', email_id=2324), follow_redirects=True)
+		self.assertEqual(r.status_code, 404)
+	def test_delete_email_primary(self):
+		self.login_as('user')
+		r = self.client.post(path=url_for('selfservice.delete_email', email_id=request.user.primary_email.id), follow_redirects=True)
+		dump('selfservice_delete_email_primary', r)
+		self.assertEqual(self.get_user().primary_email.address, 'test@example.com')
+	def test_update_email_preferences(self):
+		self.login_as('user')
+		user_id = self.get_user().id
+		email = UserEmail(user=self.get_user(), address='new@example.com', verified=True)
+		db.session.add(email)
+		service = Service(name='service', enable_email_preferences=True, limit_access=False)
+		db.session.add(service)
+		db.session.commit()
+		email_id = email.id
+		service_id = service.id
+		old_email_id = self.get_user().primary_email.id
+		r = self.client.post(path=url_for('selfservice.update_email_preferences'),
+			data={'primary_email': str(email_id), 'recovery_email': 'primary'},
+			follow_redirects=True)
+		dump('selfservice_update_email_preferences', r)
+		self.assertEqual(r.status_code, 200)
+		self.assertEqual(self.get_user().primary_email.id, email.id)
+		self.assertIsNone(self.get_user().recovery_email)
+		r = self.client.post(path=url_for('selfservice.update_email_preferences'),
+			data={'primary_email': str(old_email_id), 'recovery_email': str(email_id)},
+			follow_redirects=True)
+		self.assertEqual(r.status_code, 200)
+		self.assertEqual(self.get_user().primary_email.id, old_email_id)
+		self.assertEqual(self.get_user().recovery_email.id, email_id)
+		r = self.client.post(path=url_for('selfservice.update_email_preferences'),
+			data={'primary_email': str(old_email_id), 'recovery_email': 'primary', f'service_{service_id}_email': 'primary'},
+			follow_redirects=True)
+		self.assertEqual(r.status_code, 200)
+		self.assertIsNone(ServiceUser.query.get((service_id, user_id)).service_email)
+		r = self.client.post(path=url_for('selfservice.update_email_preferences'),
+			data={'primary_email': str(old_email_id), 'recovery_email': 'primary', f'service_{service_id}_email': str(email_id)},
+			follow_redirects=True)
+		self.assertEqual(r.status_code, 200)
+		self.assertEqual(ServiceUser.query.get((service_id, user_id)).service_email.id, email_id)
+	def test_update_email_preferences_unverified(self):
+		self.login_as('user')
+		user_id = self.get_user().id
+		email = UserEmail(user=self.get_user(), address='new@example.com')
+		db.session.add(email)
+		service = Service(name='service', enable_email_preferences=True, limit_access=False)
+		db.session.add(service)
+		db.session.commit()
+		email_id = email.id
+		service_id = service.id
+		old_email_id = self.get_user().primary_email.id
+		with self.assertRaises(Exception):
+			r = self.client.post(path=url_for('selfservice.update_email_preferences'),
+				data={'primary_email': str(email_id), 'recovery_email': 'primary'},
+				follow_redirects=True)
+		with self.app.test_request_context():
+			self.assertEqual(self.get_user().primary_email.address, 'test@example.com')
+		with self.assertRaises(Exception):
+			r = self.client.post(path=url_for('selfservice.update_email_preferences'),
+				data={'primary_email': str(old_email_id), 'recovery_email': str(email_id)},
+				follow_redirects=True)
+		with self.app.test_request_context():
+			self.assertIsNone(self.get_user().recovery_email)
+		with self.assertRaises(Exception):
+			r = self.client.post(path=url_for('selfservice.update_email_preferences'),
+				data={'primary_email': str(old_email_id), 'recovery_email': 'primary', f'service_{service_id}_email': str(email_id)},
+				follow_redirects=True)
+		with self.app.test_request_context():
+			self.assertIsNone(ServiceUser.query.get((service_id, user_id)).service_email)
+	def test_update_email_preferences_invalid(self):
+		self.login_as('user')
+		user_id = self.get_user().id
+		email = UserEmail(user=self.get_user(), address='new@example.com', verified=True)
+		db.session.add(email)
+		service = Service(name='service', enable_email_preferences=True, limit_access=False)
+		db.session.add(service)
+		db.session.commit()
+		with self.assertRaises(Exception):
+			r = self.client.post(path=url_for('selfservice.update_email_preferences'),
+				data={'primary_email': str(email.id), 'recovery_email': '2342'},
+				follow_redirects=True)
+		with self.assertRaises(Exception):
+			r = self.client.post(path=url_for('selfservice.update_email_preferences'),
+				data={'primary_email': str(email.id), 'recovery_email': 'primary', f'service_{service_id}_email': '2342'},
+				follow_redirects=True)
+		with self.assertRaises(Exception):
+			r = self.client.post(path=url_for('selfservice.update_email_preferences'),
+				data={'primary_email': 'primary', 'recovery_email': 'primary'},
+				follow_redirects=True)
+		with self.assertRaises(Exception):
+			r = self.client.post(path=url_for('selfservice.update_email_preferences'),
+				data={'primary_email': '2342', 'recovery_email': 'primary'},
+				follow_redirects=True)
+	def test_change_password(self):
+		self.login_as('user')
+		r = self.client.post(path=url_for('selfservice.change_password'),
+			data={'password1': 'newpassword', 'password2': 'newpassword'},
+			follow_redirects=True)
+		dump('change_password', r)
+		self.assertEqual(r.status_code, 200)
+		self.assertTrue(self.get_user().password.verify('newpassword'))
+	def test_change_password_invalid(self):
+		self.login_as('user')
+		r = self.client.post(path=url_for('selfservice.change_password'),
+			data={'password1': 'shortpw', 'password2': 'shortpw'},
+			follow_redirects=True)
+		dump('change_password_invalid', r)
+		self.assertEqual(r.status_code, 200)
+		user = self.get_user()
+		self.assertFalse(user.password.verify('shortpw'))
+		self.assertTrue(user.password.verify('userpassword'))
+	# Regression test for #100 (login not possible if password contains character disallowed by SASLprep)
+	def test_change_password_samlprep_invalid(self):
+		self.login_as('user')
+		r = self.client.post(path=url_for('selfservice.change_password'),
+			data={'password1': 'shortpw\n', 'password2': 'shortpw\n'},
+			follow_redirects=True)
+		dump('change_password_samlprep_invalid', r)
+		self.assertEqual(r.status_code, 200)
+		user = self.get_user()
+		self.assertFalse(user.password.verify('shortpw\n'))
+		self.assertTrue(user.password.verify('userpassword'))
+	def test_change_password_mismatch(self):
+		self.login_as('user')
+		r = self.client.post(path=url_for('selfservice.change_password'),
+			data={'password1': 'newpassword1', 'password2': 'newpassword2'},
+			follow_redirects=True)
+		dump('change_password_mismatch', r)
+		self.assertEqual(r.status_code, 200)
+		user = self.get_user()
+		self.assertFalse(user.password.verify('newpassword1'))
+		self.assertFalse(user.password.verify('newpassword2'))
+		self.assertTrue(user.password.verify('userpassword'))
+	def test_leave_role(self):
+		baserole = Role(name='baserole', is_default=True)
+		db.session.add(baserole)
+		baserole.groups[self.get_access_group()] = RoleGroup()
+		role1 = Role(name='testrole1')
+		role2 = Role(name='testrole2')
+		db.session.add(role1)
+		db.session.add(role2)
+		self.get_user().roles = [role1, role2]
+		db.session.commit()
+		roleid = role1.id
+		self.login_as('user')
+		r = self.client.post(path=url_for('selfservice.leave_role', roleid=roleid), follow_redirects=True)
+		dump('leave_role', r)
+		self.assertEqual(r.status_code, 200)
+		_user = self.get_user()
+		self.assertEqual(len(_user.roles), 1)
+		self.assertEqual(list(_user.roles)[0].name, 'testrole2')
+	def test_forgot_password(self):
+		user = self.get_user()
+		r = self.client.get(path=url_for('selfservice.forgot_password'))
+		dump('forgot_password', r)
+		self.assertEqual(r.status_code, 200)
+		user = self.get_user()
+		r = self.client.post(path=url_for('selfservice.forgot_password'),
+			data={'loginname': user.loginname, 'mail': user.primary_email.address}, follow_redirects=True)
+		dump('forgot_password_submit', r)
+		self.assertEqual(r.status_code, 200)
+		token = PasswordToken.query.filter(PasswordToken.user == user).first()
+		self.assertIsNotNone(token)
+		self.assertIn(token.token, str(self.app.last_mail.get_content()))
+	def test_forgot_password_wrong_user(self):
+		user = self.get_user()
+		r = self.client.get(path=url_for('selfservice.forgot_password'))
+		self.assertEqual(r.status_code, 200)
+		user = self.get_user()
+		r = self.client.post(path=url_for('selfservice.forgot_password'),
+			data={'loginname': 'not_a_user', 'mail': user.primary_email.address}, follow_redirects=True)
+		dump('forgot_password_submit_wrong_user', r)
+		self.assertEqual(r.status_code, 200)
+		self.assertFalse(hasattr(self.app, 'last_mail'))
+		self.assertEqual(len(PasswordToken.query.all()), 0)
+	def test_forgot_password_wrong_email(self):
+		user = self.get_user()
+		r = self.client.get(path=url_for('selfservice.forgot_password'), follow_redirects=True)
+		self.assertEqual(r.status_code, 200)
+		r = self.client.post(path=url_for('selfservice.forgot_password'),
+			data={'loginname': user.loginname, 'mail': 'not_an_email@example.com'}, follow_redirects=True)
+		dump('forgot_password_submit_wrong_email', r)
+		self.assertEqual(r.status_code, 200)
+		self.assertFalse(hasattr(self.app, 'last_mail'))
+		self.assertEqual(len(PasswordToken.query.all()), 0)
+	# Regression test for #31
+	def test_forgot_password_invalid_user(self):
+		r = self.client.post(path=url_for('selfservice.forgot_password'),
+			data={'loginname': '=', 'mail': 'test@example.com'}, follow_redirects=True)
+		dump('forgot_password_submit_invalid_user', r)
+		self.assertEqual(r.status_code, 200)
+		self.assertFalse(hasattr(self.app, 'last_mail'))
+		self.assertEqual(len(PasswordToken.query.all()), 0)
+	def test_forgot_password_wrong_user(self):
+		user = self.get_user()
+		r = self.client.get(path=url_for('selfservice.forgot_password'))
+		self.assertEqual(r.status_code, 200)
+		user = self.get_user()
+		user.is_deactivated = True
+		db.session.commit()
+		r = self.client.post(path=url_for('selfservice.forgot_password'),
+			data={'loginname': user.loginname, 'mail': user.primary_email.address}, follow_redirects=True)
+		self.assertEqual(r.status_code, 200)
+		self.assertFalse(hasattr(self.app, 'last_mail'))
+		self.assertEqual(len(PasswordToken.query.all()), 0)
+	def test_token_password(self):
+		user = self.get_user()
+		token = PasswordToken(user=user)
+		db.session.add(token)
+		db.session.commit()
+		self.assertFalse(token.expired)
+		r = self.client.get(path=url_for('selfservice.token_password', token_id=token.id, token=token.token), follow_redirects=True)
+		dump('token_password', r)
+		self.assertEqual(r.status_code, 200)
+		r = self.client.post(path=url_for('selfservice.token_password', token_id=token.id, token=token.token),
+			data={'password1': 'newpassword', 'password2': 'newpassword'}, follow_redirects=True)
+		dump('token_password_submit', r)
+		self.assertEqual(r.status_code, 200)
+		self.assertTrue(self.get_user().password.verify('newpassword'))
+	def test_token_password_emptydb(self):
+		user = self.get_user()
+		r = self.client.get(path=url_for('selfservice.token_password', token_id=1, token='A'*128), follow_redirects=True)
+		dump('token_password_emptydb', r)
+		self.assertEqual(r.status_code, 200)
+		self.assertIn(b'Link invalid or expired', r.data)
+		r = self.client.post(path=url_for('selfservice.token_password', token_id=1, token='A'*128),
+			data={'password1': 'newpassword', 'password2': 'newpassword'}, follow_redirects=True)
+		dump('token_password_emptydb_submit', r)
+		self.assertEqual(r.status_code, 200)
+		self.assertIn(b'Link invalid or expired', r.data)
+		self.assertTrue(self.get_user().password.verify('userpassword'))
+	def test_token_password_invalid(self):
+		user = self.get_user()
+		token = PasswordToken(user=user)
+		db.session.add(token)
+		db.session.commit()
+		r = self.client.get(path=url_for('selfservice.token_password', token_id=token.id, token='A'*128), follow_redirects=True)
+		dump('token_password_invalid', r)
+		self.assertEqual(r.status_code, 200)
+		self.assertIn(b'Link invalid or expired', r.data)
+		r = self.client.post(path=url_for('selfservice.token_password', token_id=token.id, token='A'*128),
+			data={'password1': 'newpassword', 'password2': 'newpassword'}, follow_redirects=True)
+		dump('token_password_invalid_submit', r)
+		self.assertEqual(r.status_code, 200)
+		self.assertIn(b'Link invalid or expired', r.data)
+		self.assertTrue(self.get_user().password.verify('userpassword'))
+	def test_token_password_expired(self):
+		user = self.get_user()
+		token = PasswordToken(user=user, created=(datetime.datetime.utcnow() - datetime.timedelta(days=10)))
+		db.session.add(token)
+		db.session.commit()
+		self.assertTrue(token.expired)
+		r = self.client.get(path=url_for('selfservice.token_password', token_id=token.id, token=token.token), follow_redirects=True)
+		dump('token_password_invalid_expired', r)
+		self.assertEqual(r.status_code, 200)
+		self.assertIn(b'Link invalid or expired', r.data)
+		r = self.client.post(path=url_for('selfservice.token_password', token_id=token.id, token=token.token),
+			data={'password1': 'newpassword', 'password2': 'newpassword'}, follow_redirects=True)
+		dump('token_password_invalid_expired_submit', r)
+		self.assertEqual(r.status_code, 200)
+		self.assertIn(b'Link invalid or expired', r.data)
+		self.assertTrue(self.get_user().password.verify('userpassword'))
+	def test_token_password_different_passwords(self):
+		user = self.get_user()
+		token = PasswordToken(user=user)
+		db.session.add(token)
+		db.session.commit()
+		r = self.client.get(path=url_for('selfservice.token_password', token_id=token.id, token=token.token), follow_redirects=True)
+		self.assertEqual(r.status_code, 200)
+		r = self.client.post(path=url_for('selfservice.token_password', token_id=token.id, token=token.token),
+			data={'password1': 'newpassword', 'password2': 'differentpassword'}, follow_redirects=True)
+		dump('token_password_different_passwords_submit', r)
+		self.assertEqual(r.status_code, 200)
+		self.assertTrue(self.get_user().password.verify('userpassword'))
+def get_fido2_test_cred(self):
+	try:
+		from uffd.fido2_compat import AttestedCredentialData
+	except ImportError:
+		self.skipTest('fido2 could not be imported')
+	# Example public key from webauthn spec 6.5.1.1
+	return AttestedCredentialData(bytes.fromhex('00000000000000000000000000000000'+'0040'+'053cbcc9d37a61d3bac87cdcc77ee326256def08ab15775d3a720332e4101d14fae95aeee3bc9698781812e143c0597dc6e180595683d501891e9dd030454c0a'+'A501020326200121582065eda5a12577c2bae829437fe338701a10aaa375e1bb5b5de108de439c08551d2258201e52ed75701163f7f9e40ddf9f341b3dc9ba860af7e0ca7ca7e9eecd0084d19c'))
+class TestMfaViews(UffdTestCase):
+	def setUp(self):
+		super().setUp()
+		db.session.add(RecoveryCodeMethod(user=self.get_admin()))
+		db.session.add(TOTPMethod(user=self.get_admin(), name='Admin Phone'))
+		# We don't want to skip all tests only because fido2 is not installed!
+		#db.session.add(WebauthnMethod(user=get_testadmin(), cred=get_fido2_test_cred(self), name='Admin FIDO2 dongle'))
+		db.session.commit()
+	def add_recovery_codes(self, count=10):
+		user = self.get_user()
+		for _ in range(count):
+			db.session.add(RecoveryCodeMethod(user=user))
+		db.session.commit()
+	def add_totp(self):
+		db.session.add(TOTPMethod(user=self.get_user(), name='My phone'))
+		db.session.commit()
+	def add_webauthn(self):
+		db.session.add(WebauthnMethod(user=self.get_user(), cred=get_fido2_test_cred(self), name='My FIDO2 dongle'))
+		db.session.commit()
+	def test_setup_disabled(self):
+		self.login_as('user')
+		r = self.client.get(path=url_for('selfservice.setup_mfa'), follow_redirects=True)
+		dump('mfa_setup_disabled', r)
+		self.assertEqual(r.status_code, 200)
+	def test_setup_recovery_codes(self):
+		self.login_as('user')
+		self.add_recovery_codes()
+		r = self.client.get(path=url_for('selfservice.setup_mfa'), follow_redirects=True)
+		dump('mfa_setup_only_recovery_codes', r)
+		self.assertEqual(r.status_code, 200)
+	def test_setup_enabled(self):
+		self.login_as('user')
+		self.add_recovery_codes()
+		self.add_totp()
+		self.add_webauthn()
+		r = self.client.get(path=url_for('selfservice.setup_mfa'), follow_redirects=True)
+		dump('mfa_setup_enabled', r)
+		self.assertEqual(r.status_code, 200)
+	def test_setup_few_recovery_codes(self):
+		self.login_as('user')
+		self.add_totp()
+		self.add_recovery_codes(1)
+		r = self.client.get(path=url_for('selfservice.setup_mfa'), follow_redirects=True)
+		dump('mfa_setup_few_recovery_codes', r)
+		self.assertEqual(r.status_code, 200)
+	def test_setup_no_recovery_codes(self):
+		self.login_as('user')
+		self.add_totp()
+		r = self.client.get(path=url_for('selfservice.setup_mfa'), follow_redirects=True)
+		dump('mfa_setup_no_recovery_codes', r)
+		self.assertEqual(r.status_code, 200)
+	def test_disable(self):
+		baserole = Role(name='baserole', is_default=True)
+		db.session.add(baserole)
+		baserole.groups[self.get_access_group()] = RoleGroup()
+		db.session.commit()
+		self.login_as('user')
+		self.add_recovery_codes()
+		self.add_totp()
+		admin_methods = len(MFAMethod.query.filter_by(user=self.get_admin()).all())
+		r = self.client.get(path=url_for('selfservice.disable_mfa'), follow_redirects=True)
+		dump('mfa_disable', r)
+		self.assertEqual(r.status_code, 200)
+		r = self.client.post(path=url_for('selfservice.disable_mfa_confirm'), follow_redirects=True)
+		dump('mfa_disable_submit', r)
+		self.assertEqual(r.status_code, 200)
+		self.assertEqual(len(MFAMethod.query.filter_by(user=request.user).all()), 0)
+		self.assertEqual(len(MFAMethod.query.filter_by(user=self.get_admin()).all()), admin_methods)
+	def test_disable_recovery_only(self):
+		baserole = Role(name='baserole', is_default=True)
+		db.session.add(baserole)
+		baserole.groups[self.get_access_group()] = RoleGroup()
+		db.session.commit()
+		self.login_as('user')
+		self.add_recovery_codes()
+		admin_methods = len(MFAMethod.query.filter_by(user=self.get_admin()).all())
+		self.assertNotEqual(len(MFAMethod.query.filter_by(user=request.user).all()), 0)
+		r = self.client.get(path=url_for('selfservice.disable_mfa'), follow_redirects=True)
+		dump('mfa_disable_recovery_only', r)
+		self.assertEqual(r.status_code, 200)
+		r = self.client.post(path=url_for('selfservice.disable_mfa_confirm'), follow_redirects=True)
+		dump('mfa_disable_recovery_only_submit', r)
+		self.assertEqual(r.status_code, 200)
+		self.assertEqual(len(MFAMethod.query.filter_by(user=request.user).all()), 0)
+		self.assertEqual(len(MFAMethod.query.filter_by(user=self.get_admin()).all()), admin_methods)
+	def test_setup_recovery(self):
+		self.login_as('user')
+		self.assertEqual(len(RecoveryCodeMethod.query.filter_by(user=request.user).all()), 0)
+		r = self.client.post(path=url_for('selfservice.setup_mfa_recovery'), follow_redirects=True)
+		dump('mfa_setup_recovery', r)
+		self.assertEqual(r.status_code, 200)
+		methods = RecoveryCodeMethod.query.filter_by(user=request.user).all()
+		self.assertNotEqual(len(methods), 0)
+		r = self.client.post(path=url_for('selfservice.setup_mfa_recovery'), follow_redirects=True)
+		dump('mfa_setup_recovery_reset', r)
+		self.assertEqual(r.status_code, 200)
+		self.assertEqual(len(RecoveryCodeMethod.query.filter_by(id=methods[0].id).all()), 0)
+		self.assertNotEqual(len(methods), 0)
+	def test_setup_totp(self):
+		self.login_as('user')
+		self.add_recovery_codes()
+		r = self.client.get(path=url_for('selfservice.setup_mfa_totp', name='My TOTP Authenticator'), follow_redirects=True)
+		dump('mfa_setup_totp', r)
+		self.assertEqual(r.status_code, 200)
+		self.assertNotEqual(len(session.get('mfa_totp_key', '')), 0)
+	def test_setup_totp_without_recovery(self):
+		self.login_as('user')
+		r = self.client.get(path=url_for('selfservice.setup_mfa_totp', name='My TOTP Authenticator'), follow_redirects=True)
+		dump('mfa_setup_totp_without_recovery', r)
+		self.assertEqual(r.status_code, 200)
+	def test_setup_totp_finish(self):
+		baserole = Role(name='baserole', is_default=True)
+		db.session.add(baserole)
+		baserole.groups[self.get_access_group()] = RoleGroup()
+		db.session.commit()
+		self.login_as('user')
+		self.add_recovery_codes()
+		self.assertEqual(len(TOTPMethod.query.filter_by(user=request.user).all()), 0)
+		r = self.client.get(path=url_for('selfservice.setup_mfa_totp', name='My TOTP Authenticator'), follow_redirects=True)
+		method = TOTPMethod(request.user, key=session.get('mfa_totp_key', ''))
+		code = _hotp(int(time.time()/30), method.raw_key)
+		r = self.client.post(path=url_for('selfservice.setup_mfa_totp_finish', name='My TOTP Authenticator'), data={'code': code}, follow_redirects=True)
+		dump('mfa_setup_totp_finish', r)
+		self.assertEqual(r.status_code, 200)
+		self.assertEqual(len(TOTPMethod.query.filter_by(user=request.user).all()), 1)
+	def test_setup_totp_finish_without_recovery(self):
+		self.login_as('user')
+		self.assertEqual(len(TOTPMethod.query.filter_by(user=request.user).all()), 0)
+		r = self.client.get(path=url_for('selfservice.setup_mfa_totp', name='My TOTP Authenticator'), follow_redirects=True)
+		method = TOTPMethod(request.user, key=session.get('mfa_totp_key', ''))
+		code = _hotp(int(time.time()/30), method.raw_key)
+		r = self.client.post(path=url_for('selfservice.setup_mfa_totp_finish', name='My TOTP Authenticator'), data={'code': code}, follow_redirects=True)
+		dump('mfa_setup_totp_finish_without_recovery', r)
+		self.assertEqual(r.status_code, 200)
+		self.assertEqual(len(TOTPMethod.query.filter_by(user=request.user).all()), 0)
+	def test_setup_totp_finish_wrong_code(self):
+		self.login_as('user')
+		self.add_recovery_codes()
+		self.assertEqual(len(TOTPMethod.query.filter_by(user=request.user).all()), 0)
+		r = self.client.get(path=url_for('selfservice.setup_mfa_totp', name='My TOTP Authenticator'), follow_redirects=True)
+		method = TOTPMethod(request.user, key=session.get('mfa_totp_key', ''))
+		code = _hotp(int(time.time()/30), method.raw_key)
+		code = str(int(code[0])+1)[-1] + code[1:]
+		r = self.client.post(path=url_for('selfservice.setup_mfa_totp_finish', name='My TOTP Authenticator'), data={'code': code}, follow_redirects=True)
+		dump('mfa_setup_totp_finish_wrong_code', r)
+		self.assertEqual(r.status_code, 200)
+		db_flush()
+		self.assertEqual(len(TOTPMethod.query.filter_by(user=request.user).all()), 0)
+	def test_setup_totp_finish_empty_code(self):
+		self.login_as('user')
+		self.add_recovery_codes()
+		self.assertEqual(len(TOTPMethod.query.filter_by(user=request.user).all()), 0)
+		r = self.client.get(path=url_for('selfservice.setup_mfa_totp', name='My TOTP Authenticator'), follow_redirects=True)
+		r = self.client.post(path=url_for('selfservice.setup_mfa_totp_finish', name='My TOTP Authenticator'), data={'code': ''}, follow_redirects=True)
+		dump('mfa_setup_totp_finish_empty_code', r)
+		self.assertEqual(r.status_code, 200)
+		db_flush()
+		self.assertEqual(len(TOTPMethod.query.filter_by(user=request.user).all()), 0)
+	def test_delete_totp(self):
+		baserole = Role(name='baserole', is_default=True)
+		db.session.add(baserole)
+		baserole.groups[self.get_access_group()] = RoleGroup()
+		db.session.commit()
+		self.login_as('user')
+		self.add_recovery_codes()
+		self.add_totp()
+		method = TOTPMethod(request.user, name='test')
+		db.session.add(method)
+		db.session.commit()
+		self.assertEqual(len(TOTPMethod.query.filter_by(user=request.user).all()), 2)
+		r = self.client.get(path=url_for('selfservice.delete_mfa_totp', id=method.id), follow_redirects=True)
+		dump('mfa_delete_totp', r)
+		self.assertEqual(r.status_code, 200)
+		self.assertEqual(len(TOTPMethod.query.filter_by(id=method.id).all()), 0)
+		self.assertEqual(len(TOTPMethod.query.filter_by(user=request.user).all()), 1)
+	# TODO: webauthn setup tests
--- a/tests/views/test_services.py
+++ b/tests/views/test_services.py
+from flask import url_for
+from uffd.database import db
+from uffd.models import Service, ServiceUser, OAuth2Client, APIClient, RemailerMode
+from tests.utils import dump, UffdTestCase
+class TestServices(UffdTestCase):
+	def setUpApp(self):
+		self.app.config['SERVICES'] = [
+			{
+				'title': 'Service Title',
+				'subtitle': 'Service Subtitle',
+				'description': 'Short description of the service as plain text',
+				'url': 'https://example.com/',
+				'logo_url': '/static/fairy-dust-color.png',
+				'required_group': 'users',
+				'permission_levels': [
+					{'name': 'Moderator', 'required_group': 'moderators'},
+					{'name': 'Admin', 'required_group': 'uffd_admin'},
+				],
+				'confidential': True,
+				'groups': [
+					{'name': 'Group "crew_crew"', 'required_group': 'users'},
+					{'name': 'Group "crew_logistik"', 'required_group': 'uffd_admin'},
+				],
+				'infos': [
+					{'title': 'Documentation', 'html': '<p>Some information about the service as html</p>', 'required_group': 'users'},
+				],
+				'links': [
+					{'title': 'Link to an external site', 'url': '#', 'required_group': 'users'},
+				],
+			},
+			{
+				'title': 'Minimal Service Title',
+			}
+		]
+		self.app.config['SERVICES_PUBLIC'] = True
+	def test_overview(self):
+		r = self.client.get(path=url_for('service.overview'))
+		dump('service_overview_guest', r)
+		self.assertEqual(r.status_code, 200)
+		self.assertNotIn(b'https://example.com/', r.data)
+		self.login_as('user')
+		r = self.client.get(path=url_for('service.overview'))
+		dump('service_overview_user', r)
+		self.assertEqual(r.status_code, 200)
+		self.assertIn(b'https://example.com/', r.data)
+	def test_overview_disabled(self):
+		self.app.config['SERVICES'] = []
+		# Should return login page
+		r = self.client.get(path=url_for('service.overview'), follow_redirects=True)
+		dump('service_overview_disabled_guest', r)
+		self.assertEqual(r.status_code, 200)
+		self.assertIn(b'name="password"', r.data)
+		self.login_as('user')
+		# Should return access denied page
+		r = self.client.get(path=url_for('service.overview'), follow_redirects=True)
+		dump('service_overview_disabled_user', r)
+		self.assertEqual(r.status_code, 403)
+		self.login_as('admin')
+		# Should return (empty) overview page
+		r = self.client.get(path=url_for('service.overview'), follow_redirects=True)
+		dump('service_overview_disabled_admin', r)
+		self.assertEqual(r.status_code, 200)
+	def test_overview_nonpublic(self):
+		self.app.config['SERVICES_PUBLIC'] = False
+		# Should return login page
+		r = self.client.get(path=url_for('service.overview'), follow_redirects=True)
+		dump('service_overview_nonpublic_guest', r)
+		self.assertEqual(r.status_code, 200)
+		self.assertIn(b'name="password"', r.data)
+		self.login_as('user')
+		# Should return overview page
+		r = self.client.get(path=url_for('service.overview'), follow_redirects=True)
+		dump('service_overview_nonpublic_user', r)
+		self.assertEqual(r.status_code, 200)
+		self.login_as('admin')
+		# Should return overview page
+		r = self.client.get(path=url_for('service.overview'), follow_redirects=True)
+		dump('service_overview_nonpublic_admin', r)
+		self.assertEqual(r.status_code, 200)
+	def test_overview_public(self):
+		# Should return overview page
+		r = self.client.get(path=url_for('service.overview'), follow_redirects=True)
+		dump('service_overview_public_guest', r)
+		self.assertEqual(r.status_code, 200)
+		self.login_as('user')
+		# Should return overview page
+		r = self.client.get(path=url_for('service.overview'), follow_redirects=True)
+		dump('service_overview_public_user', r)
+		self.assertEqual(r.status_code, 200)
+		self.login_as('admin')
+		# Should return overview page
+		r = self.client.get(path=url_for('service.overview'), follow_redirects=True)
+		dump('service_overview_public_admin', r)
+		self.assertEqual(r.status_code, 200)
+class TestServiceAdminViews(UffdTestCase):
+	def setUpDB(self):
+		db.session.add(Service(
+			name='test1',
+			oauth2_clients=[OAuth2Client(client_id='test1_oauth2_client1', client_secret='test'), OAuth2Client(client_id='test1_oauth2_client2', client_secret='test')],
+			api_clients=[APIClient(auth_username='test1_api_client1', auth_password='test'), APIClient(auth_username='test1_api_client2', auth_password='test')],
+		))
+		db.session.add(Service(name='test2'))
+		db.session.add(Service(name='test3'))
+		db.session.commit()
+		self.service_id = Service.query.filter_by(name='test1').one().id
+	def test_index(self):
+		self.login_as('admin')
+		r = self.client.get(path=url_for('service.index'), follow_redirects=True)
+		dump('service_index', r)
+		self.assertEqual(r.status_code, 200)
+	def test_show(self):
+		self.login_as('admin')
+		r = self.client.get(path=url_for('service.show', id=self.service_id), follow_redirects=True)
+		dump('service_show', r)
+		self.assertEqual(r.status_code, 200)
+	def test_new(self):
+		self.login_as('admin')
+		r = self.client.get(path=url_for('service.show'), follow_redirects=True)
+		dump('service_new', r)
+		self.assertEqual(r.status_code, 200)
+	def test_new_submit(self):
+		self.login_as('admin')
+		r = self.client.post(
+			path=url_for('service.edit_submit'),
+			follow_redirects=True,
+			data={
+				'name': 'new-service',
+				'access-group': '',
+				'remailer-mode': 'DISABLED',
+				'remailer-overwrite-mode': 'ENABLED_V2',
+				'remailer-overwrite-users': '',
+			},
+		)
+		dump('service_new_submit', r)
+		self.assertEqual(r.status_code, 200)
+		service = Service.query.filter_by(name='new-service').one_or_none()
+		self.assertIsNotNone(service)
+		self.assertEqual(service.limit_access, True)
+		self.assertEqual(service.access_group, None)
+		self.assertEqual(service.remailer_mode, RemailerMode.DISABLED)
+		self.assertEqual(service.enable_email_preferences, False)
+	def test_edit(self):
+		self.login_as('admin')
+		r = self.client.post(
+			path=url_for('service.edit_submit', id=self.service_id),
+			follow_redirects=True,
+			data={
+				'name': 'new-name',
+				'access-group': '',
+				'remailer-mode': 'DISABLED',
+				'remailer-overwrite-mode': 'ENABLED_V2',
+				'remailer-overwrite-users': '',
+			},
+		)
+		dump('service_edit_submit', r)
+		self.assertEqual(r.status_code, 200)
+		service = Service.query.get(self.service_id)
+		self.assertEqual(service.name, 'new-name')
+		self.assertEqual(service.limit_access, True)
+		self.assertEqual(service.access_group, None)
+		self.assertEqual(service.remailer_mode, RemailerMode.DISABLED)
+		self.assertEqual(service.enable_email_preferences, False)
+		self.assertEqual(service.hide_deactivated_users, False)
+	def test_edit_access_all(self):
+		self.login_as('admin')
+		r = self.client.post(
+			path=url_for('service.edit_submit', id=self.service_id),
+			follow_redirects=True,
+			data={
+				'name': 'test1',
+				'access-group': 'all',
+				'remailer-mode': 'DISABLED',
+				'remailer-overwrite-mode': 'ENABLED_V2',
+				'remailer-overwrite-users': '',
+			},
+		)
+		self.assertEqual(r.status_code, 200)
+		service = Service.query.get(self.service_id)
+		self.assertEqual(service.limit_access, False)
+		self.assertEqual(service.access_group, None)
+	def test_edit_access_group(self):
+		self.login_as('admin')
+		r = self.client.post(
+			path=url_for('service.edit_submit', id=self.service_id),
+			follow_redirects=True,
+			data={
+				'name': 'test1',
+				'access-group': str(self.get_users_group().id),
+				'remailer-mode': 'DISABLED',
+				'remailer-overwrite-mode': 'ENABLED_V2',
+				'remailer-overwrite-users': '',
+			},
+		)
+		self.assertEqual(r.status_code, 200)
+		service = Service.query.get(self.service_id)
+		self.assertEqual(service.limit_access, True)
+		self.assertEqual(service.access_group, self.get_users_group())
+	def test_edit_hide_deactivated_users(self):
+		self.login_as('admin')
+		r = self.client.post(
+			path=url_for('service.edit_submit', id=self.service_id),
+			follow_redirects=True,
+			data={
+				'name': 'test1',
+				'access-group': '',
+				'remailer-mode': 'DISABLED',
+				'remailer-overwrite-mode': 'ENABLED_V2',
+				'remailer-overwrite-users': '',
+				'hide_deactivated_users': '1',
+			},
+		)
+		self.assertEqual(r.status_code, 200)
+		service = Service.query.get(self.service_id)
+		self.assertEqual(service.hide_deactivated_users, True)
+	def test_edit_email_preferences(self):
+		self.login_as('admin')
+		r = self.client.post(
+			path=url_for('service.edit_submit', id=self.service_id),
+			follow_redirects=True,
+			data={
+				'name': 'test1',
+				'access-group': '',
+				'remailer-mode': 'DISABLED',
+				'remailer-overwrite-mode': 'ENABLED_V2',
+				'remailer-overwrite-users': '',
+				'enable_email_preferences': '1',
+			},
+		)
+		self.assertEqual(r.status_code, 200)
+		service = Service.query.get(self.service_id)
+		self.assertEqual(service.enable_email_preferences, True)
+	def test_edit_remailer_mode(self):
+		self.login_as('admin')
+		r = self.client.post(
+			path=url_for('service.edit_submit', id=self.service_id),
+			follow_redirects=True,
+			data={
+				'name': 'test1',
+				'access-group': '',
+				'remailer-mode': 'ENABLED_V2',
+				'remailer-overwrite-mode': 'ENABLED_V2',
+				'remailer-overwrite-users': '',
+			},
+		)
+		self.assertEqual(r.status_code, 200)
+		service = Service.query.get(self.service_id)
+		self.assertEqual(service.remailer_mode, RemailerMode.ENABLED_V2)
+	def test_edit_remailer_overwrite_enable(self):
+		self.login_as('admin')
+		r = self.client.post(
+			path=url_for('service.edit_submit', id=self.service_id),
+			follow_redirects=True,
+			data={
+				'name': 'test1',
+				'access-group': '',
+				'remailer-mode': 'DISABLED',
+				'remailer-overwrite-mode': 'ENABLED_V2',
+				'remailer-overwrite-users': 'testuser, testadmin',
+			},
+		)
+		self.assertEqual(r.status_code, 200)
+		service_user1 = ServiceUser.query.get((self.service_id, self.get_user().id))
+		service_user2 = ServiceUser.query.get((self.service_id, self.get_admin().id))
+		self.assertEqual(service_user1.remailer_overwrite_mode, RemailerMode.ENABLED_V2)
+		self.assertEqual(service_user2.remailer_overwrite_mode, RemailerMode.ENABLED_V2)
+		self.assertEqual(
+			set(ServiceUser.query.filter(
+				ServiceUser.service_id == self.service_id,
+				ServiceUser.remailer_overwrite_mode != None
+			).all()),
+			{service_user1, service_user2}
+		)
+	def test_edit_remailer_overwrite_change(self):
+		service_user = ServiceUser.query.get((self.service_id, self.get_user().id))
+		service_user.remailer_overwrite_mode = RemailerMode.ENABLED_V2
+		db.session.commit()
+		self.login_as('admin')
+		r = self.client.post(
+			path=url_for('service.edit_submit', id=self.service_id),
+			follow_redirects=True,
+			data={
+				'name': 'test1',
+				'access-group': '',
+				'remailer-mode': 'DISABLED',
+				'remailer-overwrite-mode': 'ENABLED_V1',
+				'remailer-overwrite-users': ', testadmin',
+			},
+		)
+		self.assertEqual(r.status_code, 200)
+		service_user = ServiceUser.query.get((self.service_id, self.get_admin().id))
+		self.assertEqual(service_user.remailer_overwrite_mode, RemailerMode.ENABLED_V1)
+		self.assertEqual(
+			ServiceUser.query.filter(
+				ServiceUser.service_id == self.service_id,
+				ServiceUser.remailer_overwrite_mode != None
+			).all(),
+			[service_user]
+		)
+	def test_edit_remailer_overwrite_disable(self):
+		service_user = ServiceUser.query.get((self.service_id, self.get_user().id))
+		service_user.remailer_overwrite_mode = RemailerMode.ENABLED_V2
+		db.session.commit()
+		self.login_as('admin')
+		r = self.client.post(
+			path=url_for('service.edit_submit', id=self.service_id),
+			follow_redirects=True,
+			data={
+				'name': 'test1',
+				'access-group': '',
+				'remailer-mode': 'DISABLED',
+				'remailer-overwrite-mode': 'ENABLED_V2',
+				'remailer-overwrite-users': '',
+			},
+		)
+		self.assertEqual(r.status_code, 200)
+		self.assertEqual(
+			ServiceUser.query.filter(
+				ServiceUser.service_id == self.service_id,
+				ServiceUser.remailer_overwrite_mode != None
+			).all(),
+			[]
+		)
+	def test_delete(self):
+		self.login_as('admin')
+		r = self.client.get(path=url_for('service.delete', id=self.service_id), follow_redirects=True)
+		dump('service_delete', r)
+		self.assertEqual(r.status_code, 200)
+		self.assertIsNone(Service.query.get(self.service_id))
--- a/tests/test_session.py
+++ b/tests/test_session.py
@@ -3,15 +3,13 @@ import unittest
 from flask import url_for, request
-# These imports are required, because otherwise we get circular imports?!
+from uffd.database import db
-from uffd import user
+from uffd.password_hash import PlaintextPasswordHash
+from uffd.models import DeviceLoginConfirmation, Service, OAuth2Client, OAuth2DeviceLoginInitiation, User, RecoveryCodeMethod, TOTPMethod
+from uffd.models.mfa import _hotp
+from uffd.views.session import login_required
-from uffd.session.views import login_required
+from tests.utils import dump, UffdTestCase, db_flush
-from uffd.session.models import DeviceLoginConfirmation
-from uffd.oauth2.models import OAuth2DeviceLoginInitiation
-from uffd import create_app, db
-from utils import dump, UffdTestCase
 class TestSession(UffdTestCase):
 	def setUpApp(self):
@@ -20,7 +18,7 @@ class TestSession(UffdTestCase):
 		@self.app.route('/test_login_required')
 		@login_required()
 		def test_login_required():
-			return 'SUCCESS', 200
+			return 'SUCCESS ' + request.user.loginname, 200
 		@self.app.route('/test_group_required1')
 		@login_required(lambda: request.user.is_in_group('users'))
@@ -41,15 +39,10 @@ class TestSession(UffdTestCase):
 		self.assertIsNotNone(request.user)
 	def assertLoggedIn(self):
-		self.assertIsNotNone(request.user)
+		self.assertEqual(self.client.get(path=url_for('test_login_required'), follow_redirects=True).data, b'SUCCESS testuser')
-		self.assertEqual(self.client.get(path=url_for('test_login_required'), follow_redirects=True).data, b'SUCCESS')
-		self.assertEqual(request.user.loginname, self.get_user().loginname)
 	def assertLoggedOut(self):
-		self.assertIsNone(request.user)
+		self.assertNotIn(b'SUCCESS', self.client.get(path=url_for('test_login_required'), follow_redirects=True).data)
-		self.assertNotEqual(self.client.get(path=url_for('test_login_required'),
-							follow_redirects=True).data, b'SUCCESS')
-		self.assertEqual(request.user, None)
 	def test_login(self):
 		self.assertLoggedOut()
@@ -61,6 +54,17 @@ class TestSession(UffdTestCase):
 		self.assertEqual(r.status_code, 200)
 		self.assertLoggedIn()
+	def test_login_password_rehash(self):
+		self.get_user().password = PlaintextPasswordHash.from_password('userpassword')
+		db.session.commit()
+		self.assertIsInstance(self.get_user().password, PlaintextPasswordHash)
+		db_flush()
+		r = self.login_as('user')
+		self.assertEqual(r.status_code, 200)
+		self.assertLoggedIn()
+		self.assertIsInstance(self.get_user().password, User.password.method_cls)
+		self.assertTrue(self.get_user().password.verify('userpassword'))
 	def test_titlecase_password(self):
 		r = self.client.post(path=url_for('session.login'),
 			data={'loginname': self.get_user().loginname.title(), 'password': 'userpassword'}, follow_redirects=True)
@@ -70,7 +74,7 @@ class TestSession(UffdTestCase):
 	def test_redirect(self):
 		r = self.login_as('user', ref=url_for('test_login_required'))
 		self.assertEqual(r.status_code, 200)
-		self.assertEqual(r.data, b'SUCCESS')
+		self.assertEqual(r.data, b'SUCCESS testuser')
 	def test_wrong_password(self):
 		r = self.client.post(path=url_for('session.login'),
@@ -117,6 +121,20 @@ class TestSession(UffdTestCase):
 		self.assertEqual(r.status_code, 200)
 		self.assertLoggedOut()
+	def test_deactivated(self):
+		self.get_user().is_deactivated = True
+		db.session.commit()
+		r = self.login_as('user')
+		dump('login_deactivated', r)
+		self.assertEqual(r.status_code, 200)
+		self.assertLoggedOut()
+	def test_deactivated_after_login(self):
+		self.login_as('user')
+		self.get_user().is_deactivated = True
+		db.session.commit()
+		self.assertLoggedOut()
 	def test_group_required(self):
 		self.login()
 		self.assertEqual(self.client.get(path=url_for('test_group_required1'),
@@ -131,7 +149,6 @@ class TestSession(UffdTestCase):
 		self.assertEqual(r.status_code, 200)
 		self.assertLoggedOut()
-	@unittest.skip('See #29')
 	def test_timeout(self):
 		self.login()
 		time.sleep(3)
@@ -148,10 +165,8 @@ class TestSession(UffdTestCase):
 		self.assertIsNone(request.user)
 	def test_deviceauth(self):
-		self.app.config['OAUTH2_CLIENTS'] = {
+		oauth2_client = OAuth2Client(service=Service(name='test', limit_access=False), client_id='test', client_secret='testsecret', redirect_uris=['http://localhost:5009/callback', 'http://localhost:5009/callback2'])
-			'test': {'client_secret': 'testsecret', 'redirect_uris': ['http://localhost:5009/callback', 'http://localhost:5009/callback2']},
+		initiation = OAuth2DeviceLoginInitiation(client=oauth2_client)
-		}
-		initiation = OAuth2DeviceLoginInitiation(oauth2_client_id='test')
 		db.session.add(initiation)
 		db.session.commit()
 		code = initiation.code
@@ -168,8 +183,162 @@ class TestSession(UffdTestCase):
 		self.assertEqual(r.status_code, 200)
 		initiation = OAuth2DeviceLoginInitiation.query.filter_by(code=code).one()
 		self.assertEqual(len(initiation.confirmations), 1)
-		self.assertEqual(initiation.confirmations[0].user.loginname, 'testuser')
+		self.assertEqual(initiation.confirmations[0].session.user.loginname, 'testuser')
 		self.assertIn(initiation.confirmations[0].code.encode(), r.data)
 		r = self.client.get(path=url_for('session.deviceauth_finish'), follow_redirects=True)
 		self.assertEqual(r.status_code, 200)
 		self.assertEqual(DeviceLoginConfirmation.query.all(), [])
+class TestMfaViews(UffdTestCase):
+	def add_recovery_codes(self, count=10):
+		user = self.get_user()
+		for _ in range(count):
+			db.session.add(RecoveryCodeMethod(user=user))
+		db.session.commit()
+	def add_totp(self):
+		db.session.add(TOTPMethod(user=self.get_user(), name='My phone'))
+		db.session.commit()
+	def test_auth_integration(self):
+		self.add_recovery_codes()
+		self.add_totp()
+		db.session.commit()
+		self.assertIsNone(request.user)
+		r = self.login_as('user')
+		dump('mfa_auth_redirected', r)
+		self.assertEqual(r.status_code, 200)
+		self.assertIn(b'/mfa/auth', r.data)
+		self.assertIsNone(request.user)
+		r = self.client.get(path=url_for('session.mfa_auth'), follow_redirects=False)
+		dump('mfa_auth', r)
+		self.assertEqual(r.status_code, 200)
+		self.assertIsNone(request.user)
+	def test_auth_disabled(self):
+		self.assertIsNone(request.user)
+		self.login_as('user')
+		r = self.client.get(path=url_for('session.mfa_auth', ref='/redirecttarget'), follow_redirects=False)
+		self.assertEqual(r.status_code, 302)
+		self.assertTrue(r.location.endswith('/redirecttarget'))
+		self.assertIsNotNone(request.user)
+	def test_auth_recovery_only(self):
+		self.add_recovery_codes()
+		self.assertIsNone(request.user)
+		self.login_as('user')
+		r = self.client.get(path=url_for('session.mfa_auth', ref='/redirecttarget'), follow_redirects=False)
+		self.assertEqual(r.status_code, 302)
+		self.assertTrue(r.location.endswith('/redirecttarget'))
+		self.assertIsNotNone(request.user)
+	def test_auth_recovery_code(self):
+		self.add_recovery_codes()
+		self.add_totp()
+		method = RecoveryCodeMethod(user=self.get_user())
+		db.session.add(method)
+		db.session.commit()
+		method_id = method.id
+		self.login_as('user')
+		r = self.client.get(path=url_for('session.mfa_auth'), follow_redirects=False)
+		dump('mfa_auth_recovery_code', r)
+		self.assertEqual(r.status_code, 200)
+		self.assertIsNone(request.user)
+		r = self.client.post(path=url_for('session.mfa_auth_finish', ref='/redirecttarget'), data={'code': method.code_value})
+		self.assertEqual(r.status_code, 302)
+		self.assertTrue(r.location.endswith('/redirecttarget'))
+		self.assertIsNotNone(request.user)
+		self.assertEqual(len(RecoveryCodeMethod.query.filter_by(id=method_id).all()), 0)
+	def test_auth_totp_code(self):
+		self.add_recovery_codes()
+		self.add_totp()
+		method = TOTPMethod(user=self.get_user(), name='testname')
+		raw_key = method.raw_key
+		db.session.add(method)
+		db.session.commit()
+		self.login_as('user')
+		r = self.client.get(path=url_for('session.mfa_auth'), follow_redirects=False)
+		dump('mfa_auth_totp_code', r)
+		self.assertEqual(r.status_code, 200)
+		self.assertIsNone(request.user)
+		code = _hotp(int(time.time()/30), raw_key)
+		r = self.client.post(path=url_for('session.mfa_auth_finish'), data={'code': code}, follow_redirects=True)
+		dump('mfa_auth_totp_code_submit', r)
+		self.assertEqual(r.status_code, 200)
+		self.assertIsNotNone(request.user)
+	def test_auth_totp_code_reuse(self):
+		self.add_recovery_codes()
+		self.add_totp()
+		method = TOTPMethod(user=self.get_user(), name='testname')
+		raw_key = method.raw_key
+		db.session.add(method)
+		db.session.commit()
+		self.login_as('user')
+		r = self.client.get(path=url_for('session.mfa_auth'), follow_redirects=False)
+		self.assertEqual(r.status_code, 200)
+		self.assertIsNone(request.user)
+		code = _hotp(int(time.time()/30), raw_key)
+		r = self.client.post(path=url_for('session.mfa_auth_finish'), data={'code': code}, follow_redirects=True)
+		self.assertEqual(r.status_code, 200)
+		self.assertIsNotNone(request.user)
+		self.login_as('user')
+		r = self.client.get(path=url_for('session.mfa_auth'), follow_redirects=False)
+		self.assertEqual(r.status_code, 200)
+		self.assertIsNone(request.user)
+		r = self.client.post(path=url_for('session.mfa_auth_finish'), data={'code': code}, follow_redirects=True)
+		self.assertEqual(r.status_code, 200)
+		self.assertIsNone(request.user)
+	def test_auth_empty_code(self):
+		self.add_recovery_codes()
+		self.add_totp()
+		self.login_as('user')
+		r = self.client.get(path=url_for('session.mfa_auth'), follow_redirects=False)
+		self.assertEqual(r.status_code, 200)
+		self.assertIsNone(request.user)
+		r = self.client.post(path=url_for('session.mfa_auth_finish'), data={'code': ''}, follow_redirects=True)
+		dump('mfa_auth_empty_code', r)
+		self.assertEqual(r.status_code, 200)
+		self.assertIsNone(request.user)
+	def test_auth_invalid_code(self):
+		self.add_recovery_codes()
+		self.add_totp()
+		method = TOTPMethod(user=self.get_user(), name='testname')
+		raw_key = method.raw_key
+		db.session.add(method)
+		db.session.commit()
+		self.login_as('user')
+		r = self.client.get(path=url_for('session.mfa_auth'), follow_redirects=False)
+		self.assertEqual(r.status_code, 200)
+		self.assertIsNone(request.user)
+		code = _hotp(int(time.time()/30), raw_key)
+		code = str(int(code[0])+1)[-1] + code[1:]
+		r = self.client.post(path=url_for('session.mfa_auth_finish'), data={'code': code}, follow_redirects=True)
+		dump('mfa_auth_invalid_code', r)
+		self.assertEqual(r.status_code, 200)
+		self.assertIsNone(request.user)
+	def test_auth_ratelimit(self):
+		self.add_recovery_codes()
+		self.add_totp()
+		method = TOTPMethod(user=self.get_user(), name='testname')
+		raw_key = method.raw_key
+		db.session.add(method)
+		db.session.commit()
+		self.login_as('user')
+		self.assertIsNone(request.user)
+		code = _hotp(int(time.time()/30), raw_key)
+		inv_code = str(int(code[0])+1)[-1] + code[1:]
+		for i in range(20):
+			r = self.client.post(path=url_for('session.mfa_auth_finish'), data={'code': inv_code}, follow_redirects=True)
+			self.assertEqual(r.status_code, 200)
+			self.assertIsNone(request.user)
+		r = self.client.post(path=url_for('session.mfa_auth_finish'), data={'code': code}, follow_redirects=True)
+		dump('mfa_auth_ratelimit', r)
+		self.assertEqual(r.status_code, 200)
+		self.assertIsNone(request.user)
+	# TODO: webauthn auth tests
--- a/tests/test_signup.py
+++ b/tests/test_signup.py
-import unittest
 import datetime
-import time
-from flask import url_for, session, request
+from flask import url_for, request
-# These imports are required, because otherwise we get circular imports?!
+from uffd.database import db
-from uffd import user
+from uffd.models import User, Signup, Role, RoleGroup, FeatureFlag
-from uffd import create_app, db
+from tests.utils import dump, UffdTestCase, db_flush
-from uffd.signup.models import Signup
-from uffd.user.models import User
-from uffd.role.models import Role, RoleGroup
-from uffd.session.views import login_get_user
-from utils import dump, UffdTestCase, db_flush
 def refetch_signup(signup):
 	db.session.add(signup)
 	db.session.commit()
 	id = signup.id
-	db_flush()
+	db.session.expunge(signup)
 	return Signup.query.get(id)
-# We assume in all tests that Signup.validate and Signup.check_password do
-# not alter any state
-class TestSignupModel(UffdTestCase):
-	def assert_validate_valid(self, signup):
-		valid, msg = signup.validate()
-		self.assertTrue(valid)
-		self.assertIsInstance(msg, str)
-	def assert_validate_invalid(self, signup):
-		valid, msg = signup.validate()
-		self.assertFalse(valid)
-		self.assertIsInstance(msg, str)
-		self.assertNotEqual(msg, '')
-	def assert_finish_success(self, signup, password):
-		self.assertIsNone(signup.user)
-		user, msg = signup.finish(password)
-		db.session.commit()
-		self.assertIsNotNone(user)
-		self.assertIsInstance(msg, str)
-		self.assertIsNotNone(signup.user)
-	def assert_finish_failure(self, signup, password):
-		prev_id = signup.user_id
-		user, msg = signup.finish(password)
-		self.assertIsNone(user)
-		self.assertIsInstance(msg, str)
-		self.assertNotEqual(msg, '')
-		self.assertEqual(signup.user_id, prev_id)
-	def test_password(self):
-		signup = Signup(loginname='newuser', displayname='New User', mail='test@example.com')
-		self.assertFalse(signup.check_password('notsecret'))
-		self.assertFalse(signup.check_password(''))
-		self.assertFalse(signup.check_password('wrongpassword'))
-		signup.password = 'notsecret'
-		self.assertTrue(signup.check_password('notsecret'))
-		self.assertFalse(signup.check_password('wrongpassword'))
-	def test_expired(self):
-		# TODO: Find a better way to test this!
-		signup = Signup(loginname='newuser', displayname='New User', mail='test@example.com', password='notsecret')
-		self.assertFalse(signup.expired)
-		signup.created = created=datetime.datetime.now() - datetime.timedelta(hours=49)
-		self.assertTrue(signup.expired)
-	def test_completed(self):
-		signup = Signup(loginname='newuser', displayname='New User', mail='test@example.com', password='notsecret')
-		self.assertFalse(signup.completed)
-		signup.finish('notsecret')
-		db.session.commit()
-		self.assertTrue(signup.completed)
-		signup = refetch_signup(signup)
-		self.assertTrue(signup.completed)
-	def test_validate(self):
-		signup = Signup(loginname='newuser', displayname='New User', mail='test@example.com', password='notsecret')
-		self.assert_validate_valid(signup)
-		self.assert_validate_valid(refetch_signup(signup))
-	def test_validate_completed(self):
-		signup = Signup(loginname='newuser', displayname='New User', mail='test@example.com', password='notsecret')
-		self.assert_finish_success(signup, 'notsecret')
-		self.assert_validate_invalid(signup)
-		self.assert_validate_invalid(refetch_signup(signup))
-	def test_validate_expired(self):
-		signup = Signup(loginname='newuser', displayname='New User', mail='test@example.com',
-		                password='notsecret', created=datetime.datetime.now()-datetime.timedelta(hours=49))
-		self.assert_validate_invalid(signup)
-		self.assert_validate_invalid(refetch_signup(signup))
-	def test_validate_loginname(self):
-		signup = Signup(loginname='', displayname='New User', mail='test@example.com', password='notsecret')
-		self.assert_validate_invalid(signup)
-		self.assert_validate_invalid(refetch_signup(signup))
-	def test_validate_displayname(self):
-		signup = Signup(loginname='newuser', displayname='', mail='test@example.com', password='notsecret')
-		self.assert_validate_invalid(signup)
-		self.assert_validate_invalid(refetch_signup(signup))
-	def test_validate_mail(self):
-		signup = Signup(loginname='newuser', displayname='New User', mail='', password='notsecret')
-		self.assert_validate_invalid(signup)
-		self.assert_validate_invalid(refetch_signup(signup))
-	def test_validate_password(self):
-		signup = Signup(loginname='newuser', displayname='New User', mail='test@example.com', password='')
-		self.assert_validate_invalid(signup)
-		self.assert_validate_invalid(refetch_signup(signup))
-	def test_validate_exists(self):
-		signup = Signup(loginname='testuser', displayname='New User', mail='test@example.com', password='notsecret')
-		self.assert_validate_invalid(signup)
-		self.assert_validate_invalid(refetch_signup(signup))
-	def test_finish(self):
-		signup = Signup(loginname='newuser', displayname='New User', mail='test@example.com', password='notsecret')
-		self.assert_finish_success(signup, 'notsecret')
-		user = User.query.filter_by(loginname='newuser').one_or_none()
-		self.assertEqual(user.loginname, 'newuser')
-		self.assertEqual(user.displayname, 'New User')
-		self.assertEqual(user.mail, 'test@example.com')
-	def test_finish_completed(self):
-		signup = Signup(loginname='newuser', displayname='New User', mail='test@example.com', password='notsecret')
-		self.assert_finish_success(signup, 'notsecret')
-		self.assert_finish_failure(refetch_signup(signup), 'notsecret')
-	def test_finish_expired(self):
-		# TODO: Find a better way to test this!
-		signup = Signup(loginname='newuser', displayname='New User', mail='test@example.com',
-		                password='notsecret', created=datetime.datetime.now()-datetime.timedelta(hours=49))
-		self.assert_finish_failure(signup, 'notsecret')
-		self.assert_finish_failure(refetch_signup(signup), 'notsecret')
-	def test_finish_wrongpassword(self):
-		signup = Signup(loginname='newuser', displayname='New User', mail='test@example.com')
-		self.assert_finish_failure(signup, '')
-		self.assert_finish_failure(signup, 'wrongpassword')
-		signup = refetch_signup(signup)
-		self.assert_finish_failure(signup, '')
-		self.assert_finish_failure(signup, 'wrongpassword')
-		signup = Signup(loginname='newuser', displayname='New User', mail='test@example.com', password='notsecret')
-		self.assert_finish_failure(signup, 'wrongpassword')
-		self.assert_finish_failure(refetch_signup(signup), 'wrongpassword')
-	def test_finish_ldaperror(self):
-		signup = Signup(loginname='testuser', displayname='New User', mail='test@example.com', password='notsecret')
-		self.assert_finish_failure(signup, 'notsecret')
-		self.assert_finish_failure(refetch_signup(signup), 'notsecret')
-	def test_duplicate(self):
-		signup = Signup(loginname='newuser', displayname='New User', mail='test1@example.com', password='notsecret')
-		self.assert_validate_valid(signup)
-		db.session.add(signup)
-		db.session.commit()
-		signup1_id = signup.id
-		signup = Signup(loginname='newuser', displayname='New User', mail='test2@example.com', password='notsecret')
-		self.assert_validate_valid(signup)
-		db.session.add(signup)
-		db.session.commit()
-		signup2_id = signup.id
-		db_flush()
-		signup = Signup.query.get(signup2_id)
-		self.assert_finish_success(signup, 'notsecret')
-		db.session.commit()
-		db_flush()
-		signup = Signup.query.get(signup1_id)
-		self.assert_finish_failure(signup, 'notsecret')
-		user = User.query.filter_by(loginname='newuser').one_or_none()
-		self.assertEqual(user.mail, 'test2@example.com')
 class TestSignupViews(UffdTestCase):
 	def setUpApp(self):
 		self.app.config['SELF_SIGNUP'] = True
@@ -188,7 +25,7 @@ class TestSignupViews(UffdTestCase):
 		self.assertEqual(r.status_code, 200)
 		self.assertEqual(Signup.query.filter_by(loginname='newuser').all(), [])
 		r = self.client.post(path=url_for('signup.signup_submit'), follow_redirects=True,
-			data={'loginname': 'newuser', 'displayname': 'New User', 'mail': 'test@example.com',
+			data={'loginname': 'newuser', 'displayname': 'New User', 'mail': 'new@example.com',
 			      'password1': 'notsecret', 'password2': 'notsecret'})
 		dump('test_signup_submit', r)
 		self.assertEqual(r.status_code, 200)
@@ -198,9 +35,9 @@ class TestSignupViews(UffdTestCase):
 		signup = signups[0]
 		self.assertEqual(signup.loginname, 'newuser')
 		self.assertEqual(signup.displayname, 'New User')
-		self.assertEqual(signup.mail, 'test@example.com')
+		self.assertEqual(signup.mail, 'new@example.com')
 		self.assertIn(signup.token, str(self.app.last_mail.get_content()))
-		self.assertTrue(signup.check_password('notsecret'))
+		self.assertTrue(signup.password.verify('notsecret'))
 		self.assertTrue(signup.validate()[0])
 	def test_signup_disabled(self):
@@ -210,7 +47,7 @@ class TestSignupViews(UffdTestCase):
 		self.assertEqual(r.status_code, 200)
 		self.assertEqual(Signup.query.filter_by(loginname='newuser').all(), [])
 		r = self.client.post(path=url_for('signup.signup_submit'), follow_redirects=True,
-			data={'loginname': 'newuser', 'displayname': 'New User', 'mail': 'test@example.com',
+			data={'loginname': 'newuser', 'displayname': 'New User', 'mail': 'new@example.com',
 			      'password1': 'notsecret', 'password2': 'notsecret'})
 		dump('test_signup_submit_disabled', r)
 		self.assertEqual(r.status_code, 200)
@@ -219,7 +56,7 @@ class TestSignupViews(UffdTestCase):
 	def test_signup_wrongpassword(self):
 		r = self.client.post(path=url_for('signup.signup_submit'), follow_redirects=True,
-			data={'loginname': 'newuser', 'displayname': 'New User', 'mail': 'test@example.com',
+			data={'loginname': 'newuser', 'displayname': 'New User', 'mail': 'new@example.com',
 			      'password1': 'notsecret', 'password2': 'notthesame'})
 		dump('test_signup_wrongpassword', r)
 		self.assertEqual(r.status_code, 200)
@@ -227,7 +64,7 @@ class TestSignupViews(UffdTestCase):
 	def test_signup_invalid(self):
 		r = self.client.post(path=url_for('signup.signup_submit'), follow_redirects=True,
-			data={'loginname': '', 'displayname': 'New User', 'mail': 'test@example.com',
+			data={'loginname': '', 'displayname': 'New User', 'mail': 'new@example.com',
 			      'password1': 'notsecret', 'password2': 'notsecret'})
 		dump('test_signup_invalid', r)
 		self.assertEqual(r.status_code, 200)
@@ -236,7 +73,7 @@ class TestSignupViews(UffdTestCase):
 	def test_signup_mailerror(self):
 		self.app.config['MAIL_SKIP_SEND'] = 'fail'
 		r = self.client.post(path=url_for('signup.signup_submit'), follow_redirects=True,
-			data={'loginname': 'newuser', 'displayname': 'New User', 'mail': 'test@example.com',
+			data={'loginname': 'newuser', 'displayname': 'New User', 'mail': 'new@example.com',
 			      'password1': 'notsecret', 'password2': 'notsecret'})
 		dump('test_signup_mailerror', r)
 		self.assertEqual(r.status_code, 200)
@@ -255,7 +92,7 @@ class TestSignupViews(UffdTestCase):
 			self.assertEqual(r.status_code, 200)
 		self.app.last_mail = None
 		r = self.client.post(path=url_for('signup.signup_submit'), follow_redirects=True,
-			data={'loginname': 'newuser', 'displayname': 'New User', 'mail': 'test@example.com',
+			data={'loginname': 'newuser', 'displayname': 'New User', 'mail': 'new@example.com',
 			      'password1': 'notsecret', 'password2': 'notsecret'})
 		dump('test_signup_hostlimit', r)
 		self.assertEqual(r.status_code, 200)
@@ -265,12 +102,12 @@ class TestSignupViews(UffdTestCase):
 	def test_signup_maillimit(self):
 		for i in range(3):
 			r = self.client.post(path=url_for('signup.signup_submit'), follow_redirects=True,
-				data={'loginname': 'newuser%d'%i, 'displayname': 'New User', 'mail': 'test@example.com',
+				data={'loginname': 'newuser%d'%i, 'displayname': 'New User', 'mail': 'new@example.com',
 				      'password1': 'notsecret', 'password2': 'notsecret'})
 			self.assertEqual(r.status_code, 200)
 		self.app.last_mail = None
 		r = self.client.post(path=url_for('signup.signup_submit'), follow_redirects=True,
-			data={'loginname': 'newuser', 'displayname': 'New User', 'mail': 'test@example.com',
+			data={'loginname': 'newuser', 'displayname': 'New User', 'mail': 'new@example.com',
 			      'password1': 'notsecret', 'password2': 'notsecret'})
 		dump('test_signup_maillimit', r)
 		self.assertEqual(r.status_code, 200)
@@ -320,16 +157,16 @@ class TestSignupViews(UffdTestCase):
 		db.session.add(baserole)
 		baserole.groups[self.get_access_group()] = RoleGroup()
 		db.session.commit()
-		signup = Signup(loginname='newuser', displayname='New User', mail='test@example.com', password='notsecret')
+		signup = Signup(loginname='newuser', displayname='New User', mail='new@example.com', password='notsecret')
 		signup = refetch_signup(signup)
 		self.assertFalse(signup.completed)
-		self.assertIsNone(login_get_user('newuser', 'notsecret'))
+		self.assertIsNone(User.query.filter_by(loginname='newuser').one_or_none())
 		r = self.client.get(path=url_for('signup.signup_confirm', signup_id=signup.id, token=signup.token), follow_redirects=True)
 		dump('test_signup_confirm', r)
 		self.assertEqual(r.status_code, 200)
 		signup = refetch_signup(signup)
 		self.assertFalse(signup.completed)
-		self.assertIsNone(login_get_user('newuser', 'notsecret'))
+		self.assertIsNone(User.query.filter_by(loginname='newuser').one_or_none())
 		r = self.client.post(path=url_for('signup.signup_confirm_submit', signup_id=signup.id, token=signup.token), follow_redirects=True, data={'password': 'notsecret'})
 		dump('test_signup_confirm_submit', r)
 		self.assertEqual(r.status_code, 200)
@@ -337,8 +174,8 @@ class TestSignupViews(UffdTestCase):
 		self.assertTrue(signup.completed)
 		self.assertEqual(signup.user.loginname, 'newuser')
 		self.assertEqual(signup.user.displayname, 'New User')
-		self.assertEqual(signup.user.mail, 'test@example.com')
+		self.assertEqual(signup.user.primary_email.address, 'new@example.com')
-		self.assertIsNotNone(login_get_user('newuser', 'notsecret'))
+		self.assertTrue(User.query.filter_by(loginname='newuser').one_or_none().password.verify('notsecret'))
 	def test_confirm_loggedin(self):
 		baserole = Role(name='baserole', is_default=True)
@@ -346,7 +183,7 @@ class TestSignupViews(UffdTestCase):
 		baserole.groups[self.get_access_group()] = RoleGroup()
 		db.session.commit()
 		self.login_as('user')
-		signup = Signup(loginname='newuser', displayname='New User', mail='test@example.com', password='notsecret')
+		signup = Signup(loginname='newuser', displayname='New User', mail='new@example.com', password='notsecret')
 		signup = refetch_signup(signup)
 		self.assertFalse(signup.completed)
 		self.assertIsNotNone(request.user)
@@ -369,8 +206,8 @@ class TestSignupViews(UffdTestCase):
 		self.assertEqual(r.status_code, 200)
 	def test_confirm_expired(self):
-		signup = Signup(loginname='newuser', displayname='New User', mail='test@example.com', password='notsecret')
+		signup = Signup(loginname='newuser', displayname='New User', mail='new@example.com', password='notsecret')
-		signup.created = datetime.datetime.now() - datetime.timedelta(hours=49)
+		signup.created = datetime.datetime.utcnow() - datetime.timedelta(hours=49)
 		signup = refetch_signup(signup)
 		r = self.client.get(path=url_for('signup.signup_confirm', signup_id=signup.id, token=signup.token), follow_redirects=True)
 		dump('test_signup_confirm_expired', r)
@@ -380,7 +217,7 @@ class TestSignupViews(UffdTestCase):
 		self.assertEqual(r.status_code, 200)
 	def test_confirm_completed(self):
-		signup = Signup(loginname=self.get_user().loginname, displayname='New User', mail='test@example.com', password='notsecret')
+		signup = Signup(loginname=self.get_user().loginname, displayname='New User', mail='new@example.com', password='notsecret')
 		signup.user = self.get_user()
 		signup = refetch_signup(signup)
 		self.assertTrue(signup.completed)
@@ -392,7 +229,7 @@ class TestSignupViews(UffdTestCase):
 		self.assertEqual(r.status_code, 200)
 	def test_confirm_wrongpassword(self):
-		signup = Signup(loginname='newuser', displayname='New User', mail='test@example.com', password='notsecret')
+		signup = Signup(loginname='newuser', displayname='New User', mail='new@example.com', password='notsecret')
 		signup = refetch_signup(signup)
 		r = self.client.post(path=url_for('signup.signup_confirm_submit', signup_id=signup.id, token=signup.token), follow_redirects=True, data={'password': 'wrongpassword'})
 		dump('test_signup_confirm_wrongpassword', r)
@@ -402,7 +239,7 @@ class TestSignupViews(UffdTestCase):
 	def test_confirm_error(self):
 		# finish returns None and error message (here: because the user already exists)
-		signup = Signup(loginname=self.get_user().loginname, displayname='New User', mail='test@example.com', password='notsecret')
+		signup = Signup(loginname=self.get_user().loginname, displayname='New User', mail='new@example.com', password='notsecret')
 		signup = refetch_signup(signup)
 		r = self.client.post(path=url_for('signup.signup_confirm_submit', signup_id=signup.id, token=signup.token), follow_redirects=True, data={'password': 'notsecret'})
 		dump('test_signup_confirm_error', r)
@@ -410,13 +247,28 @@ class TestSignupViews(UffdTestCase):
 		self.assertEqual(r.status_code, 200)
 		self.assertFalse(signup.completed)
+	def test_confirm_error_email_uniqueness(self):
+		FeatureFlag.unique_email_addresses.enable()
+		db.session.commit()
+		# finish returns None and error message (here: because the email address already exists)
+		# This case is interesting, because the error also invalidates the ORM session
+		signup = Signup(loginname='newuser', displayname='New User', mail='test@example.com', password='notsecret')
+		db.session.add(signup)
+		db.session.commit()
+		signup_id = signup.id
+		r = self.client.post(path=url_for('signup.signup_confirm_submit', signup_id=signup.id, token=signup.token), follow_redirects=True, data={'password': 'notsecret'})
+		dump('test_signup_confirm_error_email_uniqueness', r)
+		self.assertEqual(r.status_code, 200)
+		signup = Signup.query.get(signup_id)
+		self.assertFalse(signup.completed)
 	def test_confirm_hostlimit(self):
 		for i in range(20):
-			signup = Signup(loginname='newuser', displayname='New User', mail='test@example.com', password='notsecret')
+			signup = Signup(loginname='newuser', displayname='New User', mail='new@example.com', password='notsecret')
 			signup = refetch_signup(signup)
 			r = self.client.post(path=url_for('signup.signup_confirm_submit', signup_id=signup.id, token=signup.token), follow_redirects=True, data={'password': 'wrongpassword%d'%i})
 			self.assertEqual(r.status_code, 200)
-		signup = Signup(loginname='newuser', displayname='New User', mail='test@example.com', password='notsecret')
+		signup = Signup(loginname='newuser', displayname='New User', mail='new@example.com', password='notsecret')
 		signup = refetch_signup(signup)
 		self.assertFalse(signup.completed)
 		r = self.client.post(path=url_for('signup.signup_confirm_submit', signup_id=signup.id, token=signup.token), follow_redirects=True, data={'password': 'notsecret'})
@@ -425,7 +277,7 @@ class TestSignupViews(UffdTestCase):
 		self.assertFalse(signup.completed)
 	def test_confirm_confirmlimit(self):
-		signup = Signup(loginname='newuser', displayname='New User', mail='test@example.com', password='notsecret')
+		signup = Signup(loginname='newuser', displayname='New User', mail='new@example.com', password='notsecret')
 		signup = refetch_signup(signup)
 		self.assertFalse(signup.completed)
 		for i in range(5):

--- a/tests/test_user.py
+++ b/tests/test_user.py
-import datetime
+from flask import url_for, request
-import unittest
+from uffd.database import db
-from flask import url_for, session
+from uffd.models import User, UserEmail, Group, Role, Service, ServiceUser, FeatureFlag, MFAMethod, RecoveryCodeMethod, TOTPMethod
-# These imports are required, because otherwise we get circular imports?!
+from tests.utils import dump, UffdTestCase
-from uffd import user
-from uffd.user.models import User, Group
-from uffd.role.models import Role, RoleGroup
-from uffd import create_app, db
-from utils import dump, UffdTestCase
-class TestUserModel(UffdTestCase):
-	def test_has_permission(self):
-		user_ = self.get_user() # has 'users' and 'uffd_access' group
-		admin = self.get_admin() # has 'users', 'uffd_access' and 'uffd_admin' group
-		self.assertTrue(user_.has_permission(None))
-		self.assertTrue(admin.has_permission(None))
-		self.assertTrue(user_.has_permission('users'))
-		self.assertTrue(admin.has_permission('users'))
-		self.assertFalse(user_.has_permission('notagroup'))
-		self.assertFalse(admin.has_permission('notagroup'))
-		self.assertFalse(user_.has_permission('uffd_admin'))
-		self.assertTrue(admin.has_permission('uffd_admin'))
-		self.assertFalse(user_.has_permission(['uffd_admin']))
-		self.assertTrue(admin.has_permission(['uffd_admin']))
-		self.assertFalse(user_.has_permission(['uffd_admin', 'notagroup']))
-		self.assertTrue(admin.has_permission(['uffd_admin', 'notagroup']))
-		self.assertFalse(user_.has_permission(['notagroup', 'uffd_admin']))
-		self.assertTrue(admin.has_permission(['notagroup', 'uffd_admin']))
-		self.assertTrue(user_.has_permission(['uffd_admin', 'users']))
-		self.assertTrue(admin.has_permission(['uffd_admin', 'users']))
-		self.assertTrue(user_.has_permission([['uffd_admin', 'users'], ['users', 'uffd_access']]))
-		self.assertTrue(admin.has_permission([['uffd_admin', 'users'], ['users', 'uffd_access']]))
-		self.assertFalse(user_.has_permission(['uffd_admin', ['users', 'notagroup']]))
-		self.assertTrue(admin.has_permission(['uffd_admin', ['users', 'notagroup']]))
 class TestUserViews(UffdTestCase):
 	def setUp(self):
 		super().setUp()
+		self.app.last_mail = None
 		self.login_as('admin')
 	def test_index(self):
@@ -59,8 +28,8 @@ class TestUserViews(UffdTestCase):
 		dump('user_new', r)
 		self.assertEqual(r.status_code, 200)
 		self.assertIsNone(User.query.filter_by(loginname='newuser').one_or_none())
-		r = self.client.post(path=url_for('user.update'),
+		r = self.client.post(path=url_for('user.create'),
-			data={'loginname': 'newuser', 'mail': 'newuser@example.com', 'displayname': 'New User',
+			data={'loginname': 'newuser', 'email': 'newuser@example.com', 'displayname': 'New User',
 			f'role-{role1_id}': '1', 'password': 'newpassword'}, follow_redirects=True)
 		dump('user_new_submit', r)
 		self.assertEqual(r.status_code, 200)
@@ -70,12 +39,13 @@ class TestUserViews(UffdTestCase):
 		self.assertFalse(user_.is_service_user)
 		self.assertEqual(user_.loginname, 'newuser')
 		self.assertEqual(user_.displayname, 'New User')
-		self.assertEqual(user_.mail, 'newuser@example.com')
+		self.assertEqual(user_.primary_email.address, 'newuser@example.com')
+		self.assertFalse(user_.password)
 		self.assertGreaterEqual(user_.unix_uid, self.app.config['USER_MIN_UID'])
 		self.assertLessEqual(user_.unix_uid, self.app.config['USER_MAX_UID'])
 		role1 = Role(name='role1')
 		self.assertEqual(roles, ['base', 'role1'])
-		# TODO: confirm Mail is send, login not yet possible
+		self.assertIsNotNone(self.app.last_mail)
 	def test_new_service(self):
 		db.session.add(Role(name='base', is_default=True))
@@ -89,8 +59,8 @@ class TestUserViews(UffdTestCase):
 		dump('user_new_service', r)
 		self.assertEqual(r.status_code, 200)
 		self.assertIsNone(User.query.filter_by(loginname='newuser').one_or_none())
-		r = self.client.post(path=url_for('user.update'),
+		r = self.client.post(path=url_for('user.create'),
-			data={'loginname': 'newuser', 'mail': 'newuser@example.com', 'displayname': 'New User',
+			data={'loginname': 'newuser', 'email': 'newuser@example.com', 'displayname': 'New User',
 			f'role-{role1_id}': '1', 'password': 'newpassword', 'serviceaccount': '1'}, follow_redirects=True)
 		dump('user_new_submit', r)
 		self.assertEqual(r.status_code, 200)
@@ -100,39 +70,59 @@ class TestUserViews(UffdTestCase):
 		self.assertTrue(user.is_service_user)
 		self.assertEqual(user.loginname, 'newuser')
 		self.assertEqual(user.displayname, 'New User')
-		self.assertEqual(user.mail, 'newuser@example.com')
+		self.assertEqual(user.primary_email.address, 'newuser@example.com')
 		self.assertTrue(user.unix_uid)
+		self.assertFalse(user.password)
 		role1 = Role(name='role1')
 		self.assertEqual(roles, ['role1'])
-		# TODO: confirm Mail is send, login not yet possible
+		self.assertIsNone(self.app.last_mail)
 	def test_new_invalid_loginname(self):
-		r = self.client.post(path=url_for('user.update'),
+		r = self.client.post(path=url_for('user.create'),
-			data={'loginname': '!newuser', 'mail': 'newuser@example.com', 'displayname': 'New User',
+			data={'loginname': '!newuser', 'email': 'newuser@example.com', 'displayname': 'New User',
 			'password': 'newpassword'}, follow_redirects=True)
 		dump('user_new_invalid_loginname', r)
 		self.assertEqual(r.status_code, 200)
 		self.assertIsNone(User.query.filter_by(loginname='newuser').one_or_none())
 	def test_new_empty_loginname(self):
-		r = self.client.post(path=url_for('user.update'),
+		r = self.client.post(path=url_for('user.create'),
-			data={'loginname': '', 'mail': 'newuser@example.com', 'displayname': 'New User',
+			data={'loginname': '', 'email': 'newuser@example.com', 'displayname': 'New User',
 			'password': 'newpassword'}, follow_redirects=True)
 		dump('user_new_empty_loginname', r)
 		self.assertEqual(r.status_code, 200)
 		self.assertIsNone(User.query.filter_by(loginname='newuser').one_or_none())
+	def test_new_conflicting_loginname(self):
+		self.assertEqual(User.query.filter_by(loginname='testuser').count(), 1)
+		r = self.client.post(path=url_for('user.create'),
+			data={'loginname': 'testuser', 'email': 'newuser@example.com', 'displayname': 'New User',
+			'password': 'newpassword'}, follow_redirects=True)
+		dump('user_new_conflicting_loginname', r)
+		self.assertEqual(r.status_code, 200)
+		self.assertEqual(User.query.filter_by(loginname='testuser').count(), 1)
 	def test_new_empty_email(self):
-		r = self.client.post(path=url_for('user.update'),
+		r = self.client.post(path=url_for('user.create'),
-			data={'loginname': 'newuser', 'mail': '', 'displayname': 'New User',
+			data={'loginname': 'newuser', 'email': '', 'displayname': 'New User',
 			'password': 'newpassword'}, follow_redirects=True)
 		dump('user_new_empty_email', r)
 		self.assertEqual(r.status_code, 200)
 		self.assertIsNone(User.query.filter_by(loginname='newuser').one_or_none())
+	def test_new_conflicting_email(self):
+		FeatureFlag.unique_email_addresses.enable()
+		db.session.commit()
+		r = self.client.post(path=url_for('user.create'),
+			data={'loginname': 'newuser', 'email': 'test@example.com', 'displayname': 'New User',
+			'password': 'newpassword'}, follow_redirects=True)
+		dump('user_new_conflicting_email', r)
+		self.assertEqual(r.status_code, 200)
+		self.assertIsNone(User.query.filter_by(loginname='newuser').one_or_none())
 	def test_new_invalid_display_name(self):
-		r = self.client.post(path=url_for('user.update'),
+		r = self.client.post(path=url_for('user.create'),
-			data={'loginname': 'newuser', 'mail': 'newuser@example.com', 'displayname': 'A'*200,
+			data={'loginname': 'newuser', 'email': 'newuser@example.com', 'displayname': 'A'*200,
 			'password': 'newpassword'}, follow_redirects=True)
 		dump('user_new_invalid_display_name', r)
 		self.assertEqual(r.status_code, 200)
@@ -140,6 +130,7 @@ class TestUserViews(UffdTestCase):
 	def test_update(self):
 		user_unupdated = self.get_user()
+		email_id = str(user_unupdated.primary_email.id)
 		db.session.add(Role(name='base', is_default=True))
 		role1 = Role(name='role1')
 		db.session.add(role1)
@@ -152,112 +143,256 @@ class TestUserViews(UffdTestCase):
 		dump('user_update', r)
 		self.assertEqual(r.status_code, 200)
 		r = self.client.post(path=url_for('user.update', id=user_unupdated.id),
-			data={'loginname': 'testuser', 'mail': 'newuser@example.com', 'displayname': 'New User',
+			data={'loginname': 'testuser',
-			f'role-{role1_id}': '1', 'password': ''}, follow_redirects=True)
+			f'email-{email_id}-present': '1', 'primary_email': email_id, 'recovery_email': 'primary',
+			'displayname': 'New User', f'role-{role1_id}': '1', 'password': ''},
+			follow_redirects=True)
 		dump('user_update_submit', r)
 		self.assertEqual(r.status_code, 200)
 		user_updated = self.get_user()
 		roles = sorted([r.name for r in user_updated.roles_effective])
 		self.assertEqual(user_updated.displayname, 'New User')
-		self.assertEqual(user_updated.mail, 'newuser@example.com')
+		self.assertEqual(user_updated.primary_email.address, 'test@example.com')
 		self.assertEqual(user_updated.unix_uid, user_unupdated.unix_uid)
 		self.assertEqual(user_updated.loginname, user_unupdated.loginname)
-		self.assertTrue(user_updated.check_password('userpassword'))
+		self.assertTrue(user_updated.password.verify('userpassword'))
 		self.assertEqual(roles, ['base', 'role1'])
 	def test_update_password(self):
 		user_unupdated = self.get_user()
+		email_id = str(user_unupdated.primary_email.id)
 		r = self.client.get(path=url_for('user.show', id=user_unupdated.id), follow_redirects=True)
 		self.assertEqual(r.status_code, 200)
 		r = self.client.post(path=url_for('user.update', id=user_unupdated.id),
-			data={'loginname': 'testuser', 'mail': 'newuser@example.com', 'displayname': 'New User',
+			data={'loginname': 'testuser',
+			f'email-{email_id}-present': '1', 'primary_email': email_id, 'recovery_email': 'primary',
+			'displayname': 'New User',
 			'password': 'newpassword'}, follow_redirects=True)
 		dump('user_update_password', r)
 		self.assertEqual(r.status_code, 200)
 		user_updated = self.get_user()
 		self.assertEqual(user_updated.displayname, 'New User')
-		self.assertEqual(user_updated.mail, 'newuser@example.com')
+		self.assertEqual(user_updated.primary_email.address, 'test@example.com')
 		self.assertEqual(user_updated.unix_uid, user_unupdated.unix_uid)
 		self.assertEqual(user_updated.loginname, user_unupdated.loginname)
-		self.assertTrue(user_updated.check_password('newpassword'))
+		self.assertTrue(user_updated.password.verify('newpassword'))
-		self.assertFalse(user_updated.check_password('userpassword'))
+		self.assertFalse(user_updated.password.verify('userpassword'))
 	def test_update_invalid_password(self):
 		user_unupdated = self.get_user()
+		email_id = str(user_unupdated.primary_email.id)
 		r = self.client.get(path=url_for('user.show', id=user_unupdated.id), follow_redirects=True)
 		self.assertEqual(r.status_code, 200)
 		r = self.client.post(path=url_for('user.update', id=user_unupdated.id),
-			data={'loginname': 'testuser', 'mail': 'newuser@example.com', 'displayname': 'New User',
+			data={'loginname': 'testuser',
+			f'email-{email_id}-present': '1', 'primary_email': email_id, 'recovery_email': 'primary',
+			'displayname': 'New User',
 			'password': 'A'}, follow_redirects=True)
 		dump('user_update_invalid_password', r)
 		self.assertEqual(r.status_code, 200)
 		user_updated = self.get_user()
-		self.assertFalse(user_updated.check_password('A'))
+		self.assertFalse(user_updated.password.verify('A'))
-		self.assertTrue(user_updated.check_password('userpassword'))
+		self.assertTrue(user_updated.password.verify('userpassword'))
 		self.assertEqual(user_updated.displayname, user_unupdated.displayname)
-		self.assertEqual(user_updated.mail, user_unupdated.mail)
+		self.assertEqual(user_updated.primary_email.address, user_unupdated.primary_email.address)
 		self.assertEqual(user_updated.loginname, user_unupdated.loginname)
 	# Regression test for #100 (login not possible if password contains character disallowed by SASLprep)
 	def test_update_saslprep_invalid_password(self):
 		user_unupdated = self.get_user()
+		email_id = str(user_unupdated.primary_email.id)
 		r = self.client.get(path=url_for('user.show', id=user_unupdated.id), follow_redirects=True)
 		self.assertEqual(r.status_code, 200)
 		r = self.client.post(path=url_for('user.update', id=user_unupdated.id),
-			data={'loginname': 'testuser', 'mail': 'newuser@example.com', 'displayname': 'New User',
+			data={'loginname': 'testuser',
+			f'email-{email_id}-present': '1', 'primary_email': email_id, 'recovery_email': 'primary',
+			'displayname': 'New User',
 			'password': 'newpassword\n'}, follow_redirects=True)
 		dump('user_update_invalid_password', r)
 		self.assertEqual(r.status_code, 200)
 		user_updated = self.get_user()
-		self.assertFalse(user_updated.check_password('newpassword\n'))
+		self.assertFalse(user_updated.password.verify('newpassword\n'))
-		self.assertTrue(user_updated.check_password('userpassword'))
+		self.assertTrue(user_updated.password.verify('userpassword'))
 		self.assertEqual(user_updated.displayname, user_unupdated.displayname)
-		self.assertEqual(user_updated.mail, user_unupdated.mail)
+		self.assertEqual(user_updated.primary_email.address, user_unupdated.primary_email.address)
 		self.assertEqual(user_updated.loginname, user_unupdated.loginname)
-	def test_update_empty_email(self):
+	def test_update_email(self):
-		user_unupdated = self.get_user()
+		user = self.get_user()
-		r = self.client.get(path=url_for('user.show', id=user_unupdated.id), follow_redirects=True)
+		email = UserEmail(user=user, address='foo@example.com')
+		service1 = Service(name='service1', enable_email_preferences=True, limit_access=False)
+		service2 = Service(name='service2', enable_email_preferences=True, limit_access=False)
+		db.session.add_all([service1, service2])
+		db.session.commit()
+		email1_id = user.primary_email.id
+		email2_id = email.id
+		service1_id = service1.id
+		service2_id = service2.id
+		r = self.client.post(path=url_for('user.update', id=user.id),
+			data={'loginname': 'testuser',
+			f'email-{email1_id}-present': '1',
+			f'email-{email2_id}-present': '1',
+			f'email-{email2_id}-verified': '1',
+			f'newemail-1-address': 'new1@example.com',
+			f'newemail-2-address': 'new2@example.com', f'newemail-2-verified': '1',
+			'primary_email': email2_id, 'recovery_email': email1_id,
+			f'service_{service1_id}_email': 'primary',
+			f'service_{service2_id}_email': email2_id,
+			'displayname': 'Test User', 'password': ''},
+			follow_redirects=True)
+		dump('user_update_email', r)
 		self.assertEqual(r.status_code, 200)
-		r = self.client.post(path=url_for('user.update', id=user_unupdated.id),
+		user = self.get_user()
-			data={'loginname': 'testuser', 'mail': '', 'displayname': 'New User',
+		self.assertEqual(user.primary_email.id, email2_id)
-			'password': 'newpassword'}, follow_redirects=True)
+		self.assertEqual(user.recovery_email.id, email1_id)
-		dump('user_update_empty_mail', r)
+		self.assertEqual(ServiceUser.query.get((service1.id, user.id)).service_email, None)
+		self.assertEqual(ServiceUser.query.get((service2.id, user.id)).service_email.id, email2_id)
+		self.assertEqual(
+			{email.address: email.verified for email in user.all_emails},
+			{
+				'test@example.com': True,
+				'foo@example.com': True,
+				'new1@example.com': False,
+				'new2@example.com': True,
+			}
+		)
+	def test_update_email_conflict(self):
+		user = self.get_user()
+		user_id = user.id
+		email_id = user.primary_email.id
+		email_address = user.primary_email.address
+		r = self.client.post(path=url_for('user.update', id=user.id),
+			data={'loginname': 'testuser',
+			f'email-{email_id}-present': '1',
+			f'newemail-1-address': user.primary_email.address},
+			follow_redirects=True)
+		dump('user_update_email_conflict', r)
 		self.assertEqual(r.status_code, 200)
-		user_updated = self.get_user()
+		self.assertEqual(UserEmail.query.filter_by(user_id=user_id).count(), 1)
-		self.assertEqual(user_updated.displayname, user_unupdated.displayname)
-		self.assertEqual(user_updated.mail, user_unupdated.mail)
+	def test_update_email_strict_uniqueness(self):
-		self.assertEqual(user_updated.loginname, user_unupdated.loginname)
+		FeatureFlag.unique_email_addresses.enable()
-		self.assertFalse(user_updated.check_password('newpassword'))
+		db.session.commit()
-		self.assertTrue(user_updated.check_password('userpassword'))
+		user = self.get_user()
+		email = UserEmail(user=user, address='foo@example.com')
+		service1 = Service(name='service1', enable_email_preferences=True, limit_access=False)
+		service2 = Service(name='service2', enable_email_preferences=True, limit_access=False)
+		db.session.add_all([service1, service2])
+		db.session.commit()
+		email1_id = user.primary_email.id
+		email2_id = email.id
+		service1_id = service1.id
+		service2_id = service2.id
+		r = self.client.post(path=url_for('user.update', id=user.id),
+			data={'loginname': 'testuser',
+			f'email-{email1_id}-present': '1',
+			f'email-{email2_id}-present': '1',
+			f'email-{email2_id}-verified': '1',
+			f'newemail-1-address': 'new1@example.com',
+			f'newemail-2-address': 'new2@example.com', f'newemail-2-verified': '1',
+			'primary_email': email2_id, 'recovery_email': email1_id,
+			f'service_{service1_id}_email': 'primary',
+			f'service_{service2_id}_email': email2_id,
+			'displayname': 'Test User', 'password': ''},
+			follow_redirects=True)
+		dump('user_update_email_strict_uniqueness', r)
+		self.assertEqual(r.status_code, 200)
+		user = self.get_user()
+		self.assertEqual(user.primary_email.id, email2_id)
+		self.assertEqual(user.recovery_email.id, email1_id)
+		self.assertEqual(ServiceUser.query.get((service1.id, user.id)).service_email, None)
+		self.assertEqual(ServiceUser.query.get((service2.id, user.id)).service_email.id, email2_id)
+		self.assertEqual(
+			{email.address: email.verified for email in user.all_emails},
+			{
+				'test@example.com': True,
+				'foo@example.com': True,
+				'new1@example.com': False,
+				'new2@example.com': True,
+			}
+		)
+	def test_update_email_strict_uniqueness_conflict(self):
+		FeatureFlag.unique_email_addresses.enable()
+		db.session.commit()
+		user = self.get_user()
+		user_id = user.id
+		email_id = user.primary_email.id
+		email_address = user.primary_email.address
+		r = self.client.post(path=url_for('user.update', id=user.id),
+			data={'loginname': 'testuser',
+			f'email-{email_id}-present': '1',
+			f'newemail-1-address': user.primary_email.address},
+			follow_redirects=True)
+		dump('user_update_email_strict_uniqueness_conflict', r)
+		self.assertEqual(r.status_code, 200)
+		self.assertEqual(UserEmail.query.filter_by(user_id=user_id).count(), 1)
 	def test_update_invalid_display_name(self):
 		user_unupdated = self.get_user()
+		email_id = str(user_unupdated.primary_email.id)
 		r = self.client.get(path=url_for('user.show', id=user_unupdated.id), follow_redirects=True)
 		self.assertEqual(r.status_code, 200)
 		r = self.client.post(path=url_for('user.update', id=user_unupdated.id),
-			data={'loginname': 'testuser', 'mail': 'newuser@example.com', 'displayname': 'A'*200,
+			data={'loginname': 'testuser',
+			f'email-{email_id}-present': '1', 'primary_email': email_id, 'recovery_email': 'primary',
+			'displayname': 'A'*200,
 			'password': 'newpassword'}, follow_redirects=True)
 		dump('user_update_invalid_display_name', r)
 		self.assertEqual(r.status_code, 200)
 		user_updated = self.get_user()
 		self.assertEqual(user_updated.displayname, user_unupdated.displayname)
-		self.assertEqual(user_updated.mail, user_unupdated.mail)
+		self.assertEqual(user_updated.primary_email.address, user_unupdated.primary_email.address)
 		self.assertEqual(user_updated.loginname, user_unupdated.loginname)
-		self.assertFalse(user_updated.check_password('newpassword'))
+		self.assertFalse(user_updated.password.verify('newpassword'))
-		self.assertTrue(user_updated.check_password('userpassword'))
+		self.assertTrue(user_updated.password.verify('userpassword'))
 	def test_show(self):
 		r = self.client.get(path=url_for('user.show', id=self.get_user().id), follow_redirects=True)
 		dump('user_show', r)
 		self.assertEqual(r.status_code, 200)
+	def test_show_self(self):
+		r = self.client.get(path=url_for('user.show', id=self.get_admin().id), follow_redirects=True)
+		dump('user_show_self', r)
+		self.assertEqual(r.status_code, 200)
 	def test_delete(self):
 		r = self.client.get(path=url_for('user.delete', id=self.get_user().id), follow_redirects=True)
 		dump('user_delete', r)
 		self.assertEqual(r.status_code, 200)
 		self.assertIsNone(self.get_user())
+	def test_deactivate(self):
+		r = self.client.get(path=url_for('user.deactivate', id=self.get_user().id), follow_redirects=True)
+		dump('user_deactivate', r)
+		self.assertEqual(r.status_code, 200)
+		self.assertTrue(self.get_user().is_deactivated)
+	def test_activate(self):
+		self.get_user().is_deactivated = True
+		db.session.commit()
+		r = self.client.get(path=url_for('user.activate', id=self.get_user().id), follow_redirects=True)
+		dump('user_activate', r)
+		self.assertEqual(r.status_code, 200)
+		self.assertFalse(self.get_user().is_deactivated)
+	def test_disable_mfa(self):
+		db.session.add(RecoveryCodeMethod(user=self.get_admin()))
+		user = self.get_user()
+		for _ in range(10):
+			db.session.add(RecoveryCodeMethod(user=user))
+		db.session.add(TOTPMethod(user=self.get_user(), name='My phone'))
+		db.session.commit()
+		self.login_as('admin')
+		admin_methods = len(MFAMethod.query.filter_by(user=self.get_admin()).all())
+		r = self.client.get(path=url_for('user.disable_mfa', id=self.get_user().id), follow_redirects=True)
+		dump('user_disable_mfa', r)
+		self.assertEqual(r.status_code, 200)
+		self.assertEqual(len(MFAMethod.query.filter_by(user=self.get_user()).all()), 0)
+		self.assertEqual(len(MFAMethod.query.filter_by(user=self.get_admin()).all()), admin_methods)
 	def test_csvimport(self):
 		role1 = Role(name='role1')
 		db.session.add(role1)
@@ -288,42 +423,42 @@ newuser12,newuser12@example.com,{role1.id};{role1.id}
 		self.assertIsNotNone(user)
 		self.assertEqual(user.loginname, 'newuser1')
 		self.assertEqual(user.displayname, 'newuser1')
-		self.assertEqual(user.mail, 'newuser1@example.com')
+		self.assertEqual(user.primary_email.address, 'newuser1@example.com')
 		roles = sorted([r.name for r in user.roles])
 		self.assertEqual(roles, [])
 		user = User.query.filter_by(loginname='newuser2').one_or_none()
 		self.assertIsNotNone(user)
 		self.assertEqual(user.loginname, 'newuser2')
 		self.assertEqual(user.displayname, 'newuser2')
-		self.assertEqual(user.mail, 'newuser2@example.com')
+		self.assertEqual(user.primary_email.address, 'newuser2@example.com')
 		roles = sorted([r.name for r in user.roles])
 		self.assertEqual(roles, ['role1'])
 		user = User.query.filter_by(loginname='newuser3').one_or_none()
 		self.assertIsNotNone(user)
 		self.assertEqual(user.loginname, 'newuser3')
 		self.assertEqual(user.displayname, 'newuser3')
-		self.assertEqual(user.mail, 'newuser3@example.com')
+		self.assertEqual(user.primary_email.address, 'newuser3@example.com')
 		roles = sorted([r.name for r in user.roles])
 		self.assertEqual(roles, ['role1', 'role2'])
 		user = User.query.filter_by(loginname='newuser4').one_or_none()
 		self.assertIsNotNone(user)
 		self.assertEqual(user.loginname, 'newuser4')
 		self.assertEqual(user.displayname, 'newuser4')
-		self.assertEqual(user.mail, 'newuser4@example.com')
+		self.assertEqual(user.primary_email.address, 'newuser4@example.com')
 		roles = sorted([r.name for r in user.roles])
 		self.assertEqual(roles, [])
 		user = User.query.filter_by(loginname='newuser5').one_or_none()
 		self.assertIsNotNone(user)
 		self.assertEqual(user.loginname, 'newuser5')
 		self.assertEqual(user.displayname, 'newuser5')
-		self.assertEqual(user.mail, 'newuser5@example.com')
+		self.assertEqual(user.primary_email.address, 'newuser5@example.com')
 		roles = sorted([r.name for r in user.roles])
 		self.assertEqual(roles, [])
 		user = User.query.filter_by(loginname='newuser6').one_or_none()
 		self.assertIsNotNone(user)
 		self.assertEqual(user.loginname, 'newuser6')
 		self.assertEqual(user.displayname, 'newuser6')
-		self.assertEqual(user.mail, 'newuser6@example.com')
+		self.assertEqual(user.primary_email.address, 'newuser6@example.com')
 		roles = sorted([r.name for r in user.roles])
 		self.assertEqual(roles, ['role1', 'role2'])
 		self.assertIsNone(User.query.filter_by(loginname='newuser7').one_or_none())
@@ -333,14 +468,14 @@ newuser12,newuser12@example.com,{role1.id};{role1.id}
 		self.assertIsNotNone(user)
 		self.assertEqual(user.loginname, 'newuser10')
 		self.assertEqual(user.displayname, 'newuser10')
-		self.assertEqual(user.mail, 'newuser10@example.com')
+		self.assertEqual(user.primary_email.address, 'newuser10@example.com')
 		roles = sorted([r.name for r in user.roles])
 		self.assertEqual(roles, [])
 		user = User.query.filter_by(loginname='newuser11').one_or_none()
 		self.assertIsNotNone(user)
 		self.assertEqual(user.loginname, 'newuser11')
 		self.assertEqual(user.displayname, 'newuser11')
-		self.assertEqual(user.mail, 'newuser11@example.com')
+		self.assertEqual(user.primary_email.address, 'newuser11@example.com')
 		# Currently the csv import is not very robust, imho newuser11 should have role1 and role2!
 		roles = sorted([r.name for r in user.roles])
 		self.assertEqual(roles, ['role2'])
@@ -348,104 +483,10 @@ newuser12,newuser12@example.com,{role1.id};{role1.id}
 		self.assertIsNotNone(user)
 		self.assertEqual(user.loginname, 'newuser12')
 		self.assertEqual(user.displayname, 'newuser12')
-		self.assertEqual(user.mail, 'newuser12@example.com')
+		self.assertEqual(user.primary_email.address, 'newuser12@example.com')
 		roles = sorted([r.name for r in user.roles])
 		self.assertEqual(roles, ['role1'])
-class TestUserCLI(UffdTestCase):
-	def setUp(self):
-		super().setUp()
-		role = Role(name='admin')
-		role.groups[self.get_admin_group()] = RoleGroup(group=self.get_admin_group())
-		db.session.add(role)
-		db.session.add(Role(name='test'))
-		db.session.commit()
-		self.client.__exit__(None, None, None)
-	def test_list(self):
-		result = self.app.test_cli_runner().invoke(args=['user', 'list'])
-		self.assertEqual(result.exit_code, 0)
-	def test_show(self):
-		result = self.app.test_cli_runner().invoke(args=['user', 'show', 'testuser'])
-		self.assertEqual(result.exit_code, 0)
-		result = self.app.test_cli_runner().invoke(args=['user', 'show', 'doesnotexist'])
-		self.assertEqual(result.exit_code, 1)
-	def test_create(self):
-		result = self.app.test_cli_runner().invoke(args=['user', 'create', 'new user', '--mail', 'foobar@example.com']) # invalid login name
-		self.assertEqual(result.exit_code, 1)
-		result = self.app.test_cli_runner().invoke(args=['user', 'create', 'newuser', '--mail', '']) # invalid mail
-		self.assertEqual(result.exit_code, 1)
-		result = self.app.test_cli_runner().invoke(args=['user', 'create', 'newuser', '--mail', 'foobar@example.com', '--password', '']) # invalid password
-		self.assertEqual(result.exit_code, 1)
-		result = self.app.test_cli_runner().invoke(args=['user', 'create', 'newuser', '--mail', 'foobar@example.com', '--displayname', '']) # invalid display name
-		self.assertEqual(result.exit_code, 1)
-		result = self.app.test_cli_runner().invoke(args=['user', 'create', 'newuser', '--mail', 'foobar@example.com', '--add-role', 'doesnotexist']) # unknown role
-		self.assertEqual(result.exit_code, 1)
-		result = self.app.test_cli_runner().invoke(args=['user', 'create', 'testuser', '--mail', 'foobar@example.com']) # conflicting name
-		self.assertEqual(result.exit_code, 1)
-		result = self.app.test_cli_runner().invoke(args=['user', 'create', 'newuser', '--mail', 'newmail@example.com',
-		                                                 '--displayname', 'New Display Name', '--password', 'newpassword', '--add-role', 'admin'])
-		self.assertEqual(result.exit_code, 0)
-		with self.app.test_request_context():
-			user = User.query.filter_by(loginname='newuser').first()
-			self.assertIsNotNone(user)
-			self.assertEqual(user.mail, 'newmail@example.com')
-			self.assertEqual(user.displayname, 'New Display Name')
-			self.assertTrue(user.check_password('newpassword'))
-			self.assertEqual(user.roles, Role.query.filter_by(name='admin').all())
-			self.assertIn(self.get_admin_group(), user.groups)
-	def test_update(self):
-		result = self.app.test_cli_runner().invoke(args=['user', 'update', 'doesnotexist', '--displayname', 'foo'])
-		self.assertEqual(result.exit_code, 1)
-		result = self.app.test_cli_runner().invoke(args=['user', 'update', 'testuser', '--mail', '']) # invalid mail
-		self.assertEqual(result.exit_code, 1)
-		result = self.app.test_cli_runner().invoke(args=['user', 'update', 'testuser', '--password', '']) # invalid password
-		self.assertEqual(result.exit_code, 1)
-		result = self.app.test_cli_runner().invoke(args=['user', 'update', 'testuser', '--displayname', '']) # invalid display name
-		self.assertEqual(result.exit_code, 1)
-		result = self.app.test_cli_runner().invoke(args=['user', 'update', 'testuser', '--remove-role', 'doesnotexist'])
-		self.assertEqual(result.exit_code, 1)
-		result = self.app.test_cli_runner().invoke(args=['user', 'update', 'testuser', '--mail', 'newmail@example.com',
-		                                                 '--displayname', 'New Display Name', '--password', 'newpassword'])
-		self.assertEqual(result.exit_code, 0)
-		with self.app.test_request_context():
-			user = User.query.filter_by(loginname='testuser').first()
-			self.assertIsNotNone(user)
-			self.assertEqual(user.mail, 'newmail@example.com')
-			self.assertEqual(user.displayname, 'New Display Name')
-			self.assertTrue(user.check_password('newpassword'))
-		result = self.app.test_cli_runner().invoke(args=['user', 'update', 'testuser', '--add-role', 'admin', '--add-role', 'test'])
-		self.assertEqual(result.exit_code, 0)
-		with self.app.test_request_context():
-			user = User.query.filter_by(loginname='testuser').first()
-			self.assertEqual(set(user.roles), {Role.query.filter_by(name='admin').one(), Role.query.filter_by(name='test').one()})
-			self.assertIn(self.get_admin_group(), user.groups)
-		result = self.app.test_cli_runner().invoke(args=['user', 'update', 'testuser', '--remove-role', 'admin'])
-		self.assertEqual(result.exit_code, 0)
-		with self.app.test_request_context():
-			user = User.query.filter_by(loginname='testuser').first()
-			self.assertEqual(user.roles, Role.query.filter_by(name='test').all())
-			self.assertNotIn(self.get_admin_group(), user.groups)
-		result = self.app.test_cli_runner().invoke(args=['user', 'update', 'testuser', '--clear-roles', '--add-role', 'admin'])
-		self.assertEqual(result.exit_code, 0)
-		with self.app.test_request_context():
-			user = User.query.filter_by(loginname='testuser').first()
-			self.assertEqual(user.roles, Role.query.filter_by(name='admin').all())
-			self.assertIn(self.get_admin_group(), user.groups)
-	def test_delete(self):
-		with self.app.test_request_context():
-			self.assertIsNotNone(User.query.filter_by(loginname='testuser').first())
-		result = self.app.test_cli_runner().invoke(args=['user', 'delete', 'testuser'])
-		self.assertEqual(result.exit_code, 0)
-		with self.app.test_request_context():
-			self.assertIsNone(User.query.filter_by(loginname='testuser').first())
-		result = self.app.test_cli_runner().invoke(args=['user', 'delete', 'doesnotexist'])
-		self.assertEqual(result.exit_code, 1)
 class TestGroupViews(UffdTestCase):
 	def setUp(self):
 		super().setUp()
@@ -506,6 +547,33 @@ class TestGroupViews(UffdTestCase):
 		self.assertEqual(group.description, 'Original description')
 		self.assertEqual(group.unix_gid, gid)
+	def test_new_name_too_long(self):
+		r = self.client.post(path=url_for('group.update'),
+			data={'unix_gid': '', 'name': 'a'*33, 'description': 'New description'},
+			follow_redirects=True)
+		dump('group_new_name_too_long', r)
+		self.assertEqual(r.status_code, 400)
+		group = Group.query.filter_by(name='a'*33).one_or_none()
+		self.assertIsNone(group)
+	def test_new_name_too_short(self):
+		r = self.client.post(path=url_for('group.update'),
+			data={'unix_gid': '', 'name': '', 'description': 'New description'},
+			follow_redirects=True)
+		dump('group_new_name_too_short', r)
+		self.assertEqual(r.status_code, 400)
+		group = Group.query.filter_by(name='').one_or_none()
+		self.assertIsNone(group)
+	def test_new_name_invalid(self):
+		r = self.client.post(path=url_for('group.update'),
+			data={'unix_gid': '', 'name': 'foo bar', 'description': 'New description'},
+			follow_redirects=True)
+		dump('group_new_name_invalid', r)
+		self.assertEqual(r.status_code, 400)
+		group = Group.query.filter_by(name='foo bar').one_or_none()
+		self.assertIsNone(group)
 	def test_new_existing_gid(self):
 		gid = self.app.config['GROUP_MAX_GID'] - 1
 		db.session.add(Group(name='newgroup', description='Original description', unix_gid=gid))
@@ -552,50 +620,3 @@ class TestGroupViews(UffdTestCase):
 		self.assertEqual(r.status_code, 200)
 		self.assertIsNone(Group.query.get(group1_id))
 		self.assertIsNotNone(Group.query.get(group2_id))
-class TestGroupCLI(UffdTestCase):
-	def setUp(self):
-		super().setUp()
-		self.client.__exit__(None, None, None)
-	def test_list(self):
-		result = self.app.test_cli_runner().invoke(args=['group', 'list'])
-		self.assertEqual(result.exit_code, 0)
-	def test_show(self):
-		result = self.app.test_cli_runner().invoke(args=['group', 'show', 'users'])
-		self.assertEqual(result.exit_code, 0)
-		result = self.app.test_cli_runner().invoke(args=['group', 'show', 'doesnotexist'])
-		self.assertEqual(result.exit_code, 1)
-	def test_create(self):
-		result = self.app.test_cli_runner().invoke(args=['group', 'create', 'users']) # Duplicate name
-		self.assertEqual(result.exit_code, 1)
-		# See #127 (Enforce alphabet and length constraints for Group.name)
-		#result = self.app.test_cli_runner().invoke(args=['group', 'create', 'new group'])
-		#self.assertEqual(result.exit_code, 1)
-		result = self.app.test_cli_runner().invoke(args=['group', 'create', 'newgroup', '--description', 'A new group'])
-		self.assertEqual(result.exit_code, 0)
-		with self.app.test_request_context():
-			group = Group.query.filter_by(name='newgroup').first()
-			self.assertIsNotNone(group)
-			self.assertEqual(group.description, 'A new group')
-	def test_update(self):
-		result = self.app.test_cli_runner().invoke(args=['group', 'update', 'doesnotexist', '--description', 'foo'])
-		self.assertEqual(result.exit_code, 1)
-		result = self.app.test_cli_runner().invoke(args=['group', 'update', 'users', '--description', 'New description'])
-		self.assertEqual(result.exit_code, 0)
-		with self.app.test_request_context():
-			group = Group.query.filter_by(name='users').first()
-			self.assertEqual(group.description, 'New description')
-	def test_delete(self):
-		with self.app.test_request_context():
-			self.assertIsNotNone(Group.query.filter_by(name='users').first())
-		result = self.app.test_cli_runner().invoke(args=['group', 'delete', 'users'])
-		self.assertEqual(result.exit_code, 0)
-		with self.app.test_request_context():
-			self.assertIsNone(Group.query.filter_by(name='users').first())
-		result = self.app.test_cli_runner().invoke(args=['group', 'delete', 'doesnotexist'])
-		self.assertEqual(result.exit_code, 1)
--- a/uffd/__init__.py
+++ b/uffd/__init__.py
@@ -4,40 +4,31 @@ import sys
 from flask import Flask, redirect, url_for, request, render_template
 from flask_babel import Babel
-from werkzeug.routing import IntegerConverter
+from babel.dates import LOCALTZ
-from werkzeug.serving import make_ssl_devcert
+from werkzeug.exceptions import Forbidden
-try:
-	from werkzeug.middleware.profiler import ProfilerMiddleware
-except ImportError:
-	from werkzeug.contrib.profiler import ProfilerMiddleware
-from werkzeug.exceptions import InternalServerError, Forbidden
 from flask_migrate import Migrate
-from uffd.database import db, SQLAlchemyJSON
+from .database import db, customize_db_engine
-from uffd.template_helper import register_template_helper
+from .template_helper import register_template_helper
-from uffd.navbar import setup_navbar
+from .navbar import setup_navbar
-from uffd.secure_redirect import secure_local_redirect
+from .csrf import bp as csrf_bp
-from uffd import user, selfservice, role, mail, session, csrf, mfa, oauth2, services, signup, rolemod, invite, api
+from . import models, views, commands
-from uffd.user.models import User, Group
-from uffd.role.models import Role, RoleGroup
+def load_config_file(app, path, silent=False):
-from uffd.mail.models import Mail
+	if not os.path.exists(path):
-def load_config_file(app, cfg_name, silent=False):
-	cfg_path = os.path.join(app.instance_path, cfg_name)
-	if not os.path.exists(cfg_path):
 		if not silent:
-			raise Exception(f"Config file {cfg_path} not found")
+			raise Exception(f"Config file {path} not found")
 		return False
-	if cfg_path.endswith(".json"):
+	if path.endswith(".json"):
-		app.config.from_json(cfg_path)
+		app.config.from_json(path)
-	elif cfg_path.endswith(".yaml") or cfg_path.endswith(".yml"):
+	elif path.endswith(".yaml") or path.endswith(".yml"):
 		import yaml  # pylint: disable=import-outside-toplevel disable=import-error
-		with open(cfg_path, encoding='utf-8') as ymlfile:
+		with open(path, encoding='utf-8') as ymlfile:
 			data = yaml.safe_load(ymlfile)
 		app.config.from_mapping(data)
 	else:
-		app.config.from_pyfile(cfg_path, silent=True)
+		app.config.from_pyfile(path, silent=True)
 	return True
 def init_config(app: Flask, test_config):
@@ -48,28 +39,37 @@ def init_config(app: Flask, test_config):
 	# load config
 	if test_config is not None:
 		app.config.from_mapping(test_config)
-	elif os.environ.get("CONFIG_FILENAME"):
+	elif os.environ.get('CONFIG_PATH'):
-		load_config_file(app, os.environ["CONFIG_FILENAME"], silent=False)
+		load_config_file(app, os.environ['CONFIG_PATH'], silent=False)
 	else:
-		for cfg_name in ["config.cfg", "config.json", "config.yml", "config.yaml"]:
+		for filename in ["config.cfg", "config.json", "config.yml", "config.yaml"]:
-			if load_config_file(app, cfg_name, silent=True):
+			if load_config_file(app, os.path.join(app.instance_path, filename), silent=True):
 				break
-	# Prior to v1.1 login required ACL_SELFSERVICE_GROUP and ACL_ACCESS_GROUP did not exist
-	app.config.setdefault('ACL_ACCESS_GROUP', app.config['ACL_SELFSERVICE_GROUP'])
-	if app.env == "production" and app.secret_key is None:
+	if app.secret_key is None:
+		if app.env == "production":
 			raise Exception("SECRET_KEY not configured and we are running in production mode!")
-	app.config.setdefault("SECRET_KEY", secrets.token_hex(128))
+		app.secret_key = secrets.token_hex(128)
 def create_app(test_config=None): # pylint: disable=too-many-locals,too-many-statements
-	# create and configure the app
 	app = Flask(__name__, instance_relative_config=False)
-	app.json_encoder = SQLAlchemyJSON
 	init_config(app, test_config)
 	register_template_helper(app)
-	setup_navbar(app)
+	# Sort the navbar positions by their blueprint names (from the left)
+	if app.config['DEFAULT_PAGE_SERVICES']:
+		positions = ["service", "selfservice"]
+	else:
+		positions = ["selfservice", "service"]
+	positions += ["rolemod", "invite", "user", "group", "role", "mail"]
+	setup_navbar(app, positions)
+	app.register_blueprint(csrf_bp)
+	views.init_app(app)
+	commands.init_app(app)
 	# We never want to fail here, but at a file access that doesn't work.
 	# We might only have read access to app.instance_path
@@ -80,56 +80,30 @@ def create_app(test_config=None): # pylint: disable=too-many-locals,too-many-sta
 	db.init_app(app)
 	Migrate(app, db, render_as_batch=True, directory=os.path.join(app.root_path, 'migrations'))
+	with app.app_context():
-	for i in user.bp + selfservice.bp + role.bp + mail.bp + session.bp + csrf.bp + mfa.bp + oauth2.bp + services.bp + rolemod.bp + api.bp:
+		customize_db_engine(db.engine)
-		app.register_blueprint(i)
-	if app.config['ENABLE_INVITE'] or app.config['SELF_SIGNUP']:
-		for i in signup.bp:
-			app.register_blueprint(i)
-	if app.config['ENABLE_INVITE']:
-		for i in invite.bp:
-			app.register_blueprint(i)
 	@app.shell_context_processor
 	def push_request_context(): #pylint: disable=unused-variable
-		app.test_request_context().push() # LDAP ORM requires request context
+		ctx = {name: getattr(models, name) for name in models.__all__}
-		return {'db': db, 'User': User, 'Group': Group, 'Role': Role, 'Mail': Mail}
+		ctx.setdefault('db', db)
+		return ctx
-	@app.errorhandler(403)
-	def handle_403(error):
+	# flask-babel requires pytz-style timezone objects, but in rare cases (e.g.
-		return render_template('403.html', description=error.description if error.description != Forbidden.description else None), 403
+	# non-IANA TZ values) LOCALTZ is stdlib-style (without normalize/localize)
+	if not hasattr(LOCALTZ, 'normalize'):
-	@app.route("/")
+		LOCALTZ.normalize = lambda dt: dt
-	def index(): #pylint: disable=unused-variable
+	if not hasattr(LOCALTZ, 'localize'):
-		return redirect(url_for('selfservice.index'))
+		LOCALTZ.localize = lambda dt: dt.replace(tzinfo=LOCALTZ)
-	@app.route('/lang', methods=['POST'])
+	class PatchedBabel(Babel):
-	def setlang(): #pylint: disable=unused-variable
+		@property
-		resp = secure_local_redirect(request.values.get('ref', '/'))
+		def default_timezone(self):
-		if 'lang' in request.values:
+			if self.app.config['BABEL_DEFAULT_TIMEZONE'] == 'LOCALTZ':
-			resp.set_cookie('language', request.values['lang'])
+				return LOCALTZ
-		return resp
+			return super().default_timezone
-	@app.cli.command("gendevcert", help='Generates a self-signed TLS certificate for development')
+	babel = PatchedBabel(app, default_timezone='LOCALTZ')
-	def gendevcert(): #pylint: disable=unused-variable
-		if os.path.exists('devcert.crt') or os.path.exists('devcert.key'):
-			print('Refusing to overwrite existing "devcert.crt"/"devcert.key" file!')
-			return
-		make_ssl_devcert('devcert')
-		print('Certificate written to "devcert.crt", private key to "devcert.key".')
-		print('Run `flask run --cert devcert.crt --key devcert.key` to use it.')
-	@app.cli.command("profile", help='Runs app with profiler')
-	def profile(): #pylint: disable=unused-variable
-		# app.run() is silently ignored if executed from commands. We really want
-		# to do this, so we overwrite the check by overwriting the environment
-		# variable.
-		os.environ['FLASK_RUN_FROM_CLI'] = 'false'
-		app.wsgi_app = ProfilerMiddleware(app.wsgi_app, restrictions=[30])
-		app.run(debug=True)
-	babel = Babel(app)
 	@babel.localeselector
 	def get_locale(): #pylint: disable=unused-variable

--- a/uffd/api/__init__.py
+++ b/uffd/api/__init__.py
-from .views import bp as _bp
-bp = [_bp]
--- a/uffd/api/views.py
+++ b/uffd/api/views.py
-import functools
-import secrets
-from flask import Blueprint, jsonify, current_app, request, abort
-from uffd.user.models import User, Group
-from uffd.mail.models import Mail, MailReceiveAddress, MailDestinationAddress
-from uffd.session.views import login_get_user, login_ratelimit
-bp = Blueprint('api', __name__, template_folder='templates', url_prefix='/api/v1/')
-def apikey_required(scope=None):
-	def wrapper(func):
-		@functools.wraps(func)
-		def decorator(*args, **kwargs):
-			if 'Authorization' not in request.headers or not request.headers['Authorization'].startswith('Bearer '):
-				return 'Unauthorized', 401, {'WWW-Authenticate': 'Bearer'}
-			token = request.headers['Authorization'][7:].strip()
-			request.api_client = None
-			for client_token, client in current_app.config['API_CLIENTS'].items():
-				if secrets.compare_digest(client_token, token):
-					request.api_client = client
-			if request.api_client is None:
-				return 'Unauthorized', 401, {'WWW-Authenticate': 'Bearer error="invalid_token"'}
-			if scope is not None and scope not in request.api_client.get('scopes', []):
-				return 'Unauthorized', 401, {'WWW-Authenticate': 'Bearer error="insufficient_scope",scope="%s"'%scope}
-			return func(*args, **kwargs)
-		return decorator
-	return wrapper
-def generate_group_dict(group):
-	return {'id': group.unix_gid, 'name': group.name,
-	        'members': [user.loginname for user in group.members]}
-@bp.route('/getgroups', methods=['GET', 'POST'])
-@apikey_required()
-def getgroups():
-	if len(request.values) > 1:
-		abort(400)
-	key = (list(request.values.keys()) or [None])[0]
-	values = request.values.getlist(key)
-	if key is None:
-		groups = Group.query.all()
-	elif key == 'id' and len(values) == 1:
-		groups = Group.query.filter_by(unix_gid=values[0]).all()
-	elif key == 'name' and len(values) == 1:
-		groups = Group.query.filter_by(name=values[0]).all()
-	elif key == 'member' and len(values) == 1:
-		user = User.query.filter_by(loginname=values[0]).one_or_none()
-		groups = [] if user is None else user.groups
-	else:
-		abort(400)
-	return jsonify([generate_group_dict(group) for group in groups])
-def generate_user_dict(user, all_groups=None):
-	if all_groups is None:
-		all_groups = user.groups
-	return {'id': user.unix_uid, 'loginname': user.loginname, 'email': user.mail, 'displayname': user.displayname,
-	        'groups': [group.name for group in all_groups if user in group.members]}
-@bp.route('/getusers', methods=['GET', 'POST'])
-@apikey_required()
-def getusers():
-	if len(request.values) > 1:
-		abort(400)
-	key = (list(request.values.keys()) or [None])[0]
-	values = request.values.getlist(key)
-	if key is None:
-		users = User.query.all()
-	elif key == 'id' and len(values) == 1:
-		users = User.query.filter_by(unix_uid=values[0]).all()
-	elif key == 'loginname' and len(values) == 1:
-		users = User.query.filter_by(loginname=values[0]).all()
-	elif key == 'email' and len(values) == 1:
-		users = User.query.filter_by(mail=values[0]).all()
-	elif key == 'group' and len(values) == 1:
-		group = Group.query.filter_by(name=values[0]).one_or_none()
-		users = [] if group is None else group.members
-	else:
-		abort(400)
-	all_groups = None
-	if len(users) > 1:
-		all_groups = Group.query.all()
-	return jsonify([generate_user_dict(user, all_groups) for user in users])
-@bp.route('/checkpassword', methods=['POST'])
-@apikey_required('checkpassword')
-def checkpassword():
-	if set(request.values.keys()) != {'loginname', 'password'}:
-		abort(400)
-	username = request.form['loginname'].lower()
-	password = request.form['password']
-	login_delay = login_ratelimit.get_delay(username)
-	if login_delay:
-		return 'Too Many Requests', 429, {'Retry-After': '%d'%login_delay}
-	user = login_get_user(username, password)
-	if user is None:
-		login_ratelimit.log(username)
-		return jsonify(None)
-	return jsonify(generate_user_dict(user))
-def generate_mail_dict(mail):
-	return {'name': mail.uid, 'receive_addresses': list(mail.receivers),
-	        'destination_addresses': list(mail.destinations)}
-@bp.route('/getmails', methods=['GET', 'POST'])
-@apikey_required('getmails')
-def getmails():
-	if len(request.values) > 1:
-		abort(400)
-	key = (list(request.values.keys()) or [None])[0]
-	values = request.values.getlist(key)
-	if key is None:
-		mails = Mail.query.all()
-	elif key == 'name' and len(values) == 1:
-		mails = Mail.query.filter_by(uid=values[0]).all()
-	elif key == 'receive_address' and len(values) == 1:
-		mails = Mail.query.filter(Mail.receivers.any(MailReceiveAddress.address==values[0])).all()
-	elif key == 'destination_address' and len(values) == 1:
-		mails = Mail.query.filter(Mail.destinations.any(MailDestinationAddress.address==values[0])).all()
-	else:
-		abort(400)
-	return jsonify([generate_mail_dict(mail) for mail in mails])
--- a/uffd/babel.cfg
+++ b/uffd/babel.cfg
 [python: **.py]
 [jinja2: **/templates/**.html]
-extensions=jinja2.ext.autoescape,jinja2.ext.with_
No results found