diff --git a/server/extensions.py b/server/extensions.py
index 1ef41774..cbf82369 100644
--- a/server/extensions.py
+++ b/server/extensions.py
@@ -35,12 +35,12 @@
     Base = declarative_base()
     Base.metadata.reflect(engine)
 else:
-    logging.warning("Testing mode, using local sqlite db.")
+    logging.warning("Testing mode, using local sqlite test db.")
     engine = create_engine(
-        "sqlite:///" + os.path.join(basedir, "openml.db"),
+        "sqlite:///" + os.path.join(basedir, "openml.test.db"),
         echo=False,
     )
-    Config.SQLALCHEMY_DATABASE_URI = "sqlite:///" + os.path.join(basedir, "openml.db")
+    Config.SQLALCHEMY_DATABASE_URI = "sqlite:///" + os.path.join(basedir, "openml.test.db")
     Base = declarative_base()
     Base.metadata.reflect(engine)
 
diff --git a/server/openml.test.db b/server/openml.test.db
new file mode 100644
index 00000000..aa20b071
Binary files /dev/null and b/server/openml.test.db differ
diff --git a/server/public/views.py b/server/public/views.py
index e9e6dd48..50088464 100644
--- a/server/public/views.py
+++ b/server/public/views.py
@@ -22,8 +22,8 @@
 CORS(blueprint)
 
 
-DO_SEND_EMAIL = strtobool(os.environ.get("SEND_EMAIL", "True"))
-
+def email_enabled():
+    return strtobool(os.getenv("SEND_EMAIL", "True"))
 
 @blueprint.route("/signup", methods=["POST"])
 def signupfunc():
@@ -45,7 +45,7 @@ def signupfunc():
             user.remember_code = "0000"
             user.created_on = "0000"
             user.last_login = "0000"
-            user.active = "0" if DO_SEND_EMAIL else "1"
+            user.active = "0" if email_enabled() else "1"
             user.first_name = register_obj["first_name"]
             user.last_name = register_obj["last_name"]
             user.company = "0000"
@@ -59,7 +59,7 @@ def signupfunc():
             user.password_hash = "0000"
             token = secrets.token_hex()
             user.update_activation_code(token)
-            if DO_SEND_EMAIL:
+            if email_enabled():
                 confirmation_email(user.email, token)
             session.add(user)
             session.commit()
@@ -81,7 +81,7 @@ def password():
         token = secrets.token_hex()
         user.update_forgotten_code(token)
         # user.update_forgotten_time(timestamp)
-        if DO_SEND_EMAIL:
+        if email_enabled():
             forgot_password_email(user.email, token)
         session.merge(user)
         session.commit()
@@ -100,7 +100,7 @@ def confirmation_token():
             return jsonify({"msg": "User confirmation token sent"}), 200
         token = secrets.token_hex()
         user.update_activation_code(token)
-        if DO_SEND_EMAIL:
+        if email_enabled():
             confirmation_email(user.email, token)
         # updating user groups here
         user_group = UserGroups(user_id=user.id, group_id=2)
diff --git a/server/src/client/app/src/pages/auth/APIKey.js b/server/src/client/app/src/pages/auth/APIKey.js
index ac65cdde..e799c7db 100644
--- a/server/src/client/app/src/pages/auth/APIKey.js
+++ b/server/src/client/app/src/pages/auth/APIKey.js
@@ -46,8 +46,8 @@ function APIKey() {
   const [apikey, setApikey] = useState('');
   const yourConfig = {
     headers: {
-      Authorization: "Bearer " + localStorage.getItem("token"),
-    },
+      Authorization: "Bearer " + localStorage.getItem("token")
+    }
   };
 
   useEffect(() => {
@@ -66,7 +66,7 @@ function APIKey() {
     axios
       .post(
         process.env.REACT_APP_URL_SITE_BACKEND + "api-key",
-        { resetapikey: true },
+        {}, // no form data required
         yourConfig
       )
       .then((response) => {
diff --git a/server/src/client/app/src/pages/auth/ProfilePage.js b/server/src/client/app/src/pages/auth/ProfilePage.js
index 713e7ab0..a050d3f3 100755
--- a/server/src/client/app/src/pages/auth/ProfilePage.js
+++ b/server/src/client/app/src/pages/auth/ProfilePage.js
@@ -92,14 +92,16 @@ function Public() {
         setFname(response.data.first_name);
         setLname(response.data.last_name);
         setId(response.data.id);
-        if (id !== false) {
+        if (id) {
           fetch(`${ELASTICSEARCH_SERVER}user/user/` + id.toString())
             .then(response => response.json())
             .then(data => {
-              setDataset(data._source.datasets_uploaded);
-              setRun(data._source.runs_uploaded);
-              setTask(data._source.tasks_uploaded);
-              setFlow(data._source.flows_uploaded);
+              if (data._source) {
+                setDataset(data._source.datasets_uploaded);
+                setRun(data._source.runs_uploaded);
+                setTask(data._source.tasks_uploaded);
+                setFlow(data._source.flows_uploaded);
+              }
             });
         }
       })
diff --git a/server/src/client/app/src/pages/auth/SignIn.js b/server/src/client/app/src/pages/auth/SignIn.js
index 7f5f17ea..fa5a8221 100755
--- a/server/src/client/app/src/pages/auth/SignIn.js
+++ b/server/src/client/app/src/pages/auth/SignIn.js
@@ -33,8 +33,7 @@ function SignIn() {
   const [errorlog, setError] = useState(false);
   const [confirmflag, setConfirm] = useState(false);
   const [errormsg, setErrorMsg] = useState(false);
-  const [notexist, setNotExist] = useState(false);
-  const [wrongpass, setWrongPass] = useState(false);
+  const [incorrectCredentials, setIncorrectCredentials] = useState(false);
   const context = useContext(MainContext);
 
   function sendtoflask(event) {
@@ -46,12 +45,10 @@ function SignIn() {
       })
       .then(response => {
         console.log(response.data);
-        if (response.data.msg === "NotConfirmed") {
+        if (response.data.msg === "UserNotConfirmed") {
           setConfirm(true);
-        } else if (response.data.msg === "Wrong username or password") {
-          setNotExist(true);
-        } else if (response.data.msg === "wrong password") {
-          setWrongPass(true);
+        } else if (response.data.msg === "WrongUsernameOrPassword") {
+          setIncorrectCredentials(true);
         } else {
           localStorage.setItem("token", response.data.access_token);
           context.checkLogIn();
@@ -75,12 +72,15 @@ function SignIn() {
       )}
       <Grid item md={7} xs={10}>
         <Wrapper>
+          {/** Header **/}
           <Typography component="h1" variant="h4" align="center" gutterBottom>
             Welcome back!
           </Typography>
           <Typography component="h2" variant="body1" align="center">
             Sign in to continue
           </Typography>
+
+          {/** Start Error Banner **/}
           {errorlog && (
             <Typography component="h3" align="center" style={{ color: "red" }}>
               <FontAwesomeIcon
@@ -90,7 +90,8 @@ function SignIn() {
               {errormsg}
             </Typography>
           )}
-          {wrongpass && (
+          {/* User with this email & password could not be found */}
+          {(incorrectCredentials) && (
             <Typography component="h3" align="center" style={{ color: "red" }}>
               <FontAwesomeIcon
                 icon="exclamation-triangle"
@@ -99,6 +100,7 @@ function SignIn() {
               Wrong username or password
             </Typography>
           )}
+          {/* User's account not yet confirmed */}
           {confirmflag && (
             <Typography
               component="h3"
@@ -110,15 +112,9 @@ function SignIn() {
               <a href="/auth/confirmation-token">(resend activation token)</a>
             </Typography>
           )}
-          {notexist && (
-            <Typography component="h3" align="center" style={{ color: "red" }}>
-              <FontAwesomeIcon
-                icon="exclamation-triangle"
-                style={{ marginRight: 5 }}
-              />
-              Wrong username or password
-            </Typography>
-          )}
+          {/** End Error Banner **/}
+
+          {/** Start Entry Fields **/}
           <form onSubmit={sendtoflask}>
             <FormControl margin="normal" required fullWidth>
               <InputLabel htmlFor="email">Email Address</InputLabel>
@@ -156,6 +152,7 @@ function SignIn() {
               Forgot password
             </Button>
           </form>
+          {/** End Entry Fields **/}
         </Wrapper>
       </Grid>
       <Grid item md={7} xs={10}>
diff --git a/server/src/client/app/src/pages/auth/SignUp.js b/server/src/client/app/src/pages/auth/SignUp.js
index 56d596ab..4454c1db 100755
--- a/server/src/client/app/src/pages/auth/SignUp.js
+++ b/server/src/client/app/src/pages/auth/SignUp.js
@@ -7,12 +7,18 @@ import { useState } from "react";
 
 import {
   FormControl,
+  IconButton,
   Input,
   InputLabel,
+  InputAdornment,
   Button as MuiButton,
   Paper,
   Typography
 } from "@mui/material";
+import {
+  Visibility,
+  VisibilityOff
+} from '@mui/icons-material';
 import { spacing } from "@mui/system";
 import axios from "axios";
 
@@ -30,53 +36,84 @@ const RedIcon = styled(FontAwesomeIcon)({
   color: red[500]
 });
 
+const MIN_PASSWORD_LENGTH = 15;
+
 function SignUp() {
   const [register, setRegister] = useState(false);
   const [duplicateUser, setDuplicateUser] = useState(false);
   const [error, setError] = useState(false);
   const [errormessage, setErrorMessage] = useState(false);
-  function sendflask(event) {
+
+  const [firstName, setFirstName] = useState("");
+  const [lastName, setLastName] = useState("");
+  const [email, setEmail] = useState("");
+  const [password, setPassword] = useState("");
+
+  const [showPassword, setShowPassword] = useState(false);
+
+  function handleSubmit(event) {
     event.preventDefault();
-    console.log(event.target.email.value);
-    console.log(event.target.password.value);
-    if (event.target.password.value.length < 8) {
+    var registrationData = {
+      email: email,
+      firstName: firstName,
+      lastName: lastName,
+      password: password
+    };
+
+    if (password.length < MIN_PASSWORD_LENGTH) {
+     // Password must meet minimum length
+     // Using NIST recommendation
       setError(true);
-      setErrorMessage("Password too weak. Use at least 8 characters, with numbers, digits, and special characters.");
-    } else if (
-      /[a-zA-Z0-9]+@(?:[a-zA-Z0-9-]+\.)+[A-Za-z]+$/.test(
-        event.target.email.value
-      ) !== true
-    ) {
+      setErrorMessage(`Password too weak. Use at least ${MIN_PASSWORD_LENGTH} characters.`);
+    } else if ( (/[a-zA-Z0-9]+@(?:[a-zA-Z0-9-]+\.)+[A-Za-z]+$/.test(email)) === false) {
+      // Email must be in valid format
       setError(true);
       setErrorMessage("Please enter valid email");
     } else {
-      axios
-        .post(process.env.REACT_APP_URL_SITE_BACKEND + "signup", {
-          first_name: event.target.fname.value,
-          last_name: event.target.lname.value,
-          email: event.target.email.value,
-          password: event.target.password.value
-        })
-        .then(function(response) {
-          if (response.data.msg === "User created") {
-            console.log(response.data);
-            setRegister(true);
-          } else if (response.data.msg === "User already exists") {
-            setDuplicateUser(true);
-          }
-        })
-        .catch(function(error) {
-          console.log(error.data);
-        });
+      sendflask(registrationData);
     }
+
     return false;
   }
+
+  function handleMouseDownPassword(event) {
+    event.preventDefault(); // Prevents focus loss
+  }
+
+  function handleClickShowPassword() {
+    setShowPassword(function(prev) {
+      return !prev;
+    });
+  }
+
+  function sendflask(registrationData) {
+    axios
+      .post(process.env.REACT_APP_URL_SITE_BACKEND + "signup", {
+        first_name: registrationData.firstName,
+        last_name: registrationData.lastName,
+        email: registrationData.email,
+        password: registrationData.password
+      })
+      .then(function(response) {
+        if (response.data.msg === "User created") {
+          console.log(response.data);
+          setRegister(true);
+        } else if (response.data.msg === "User alredy exists") {
+          setDuplicateUser(true);
+        }
+      })
+      .catch(function(error) {
+        console.log(error.data);
+      })
+  }
+
   return (
     <Wrapper>
       <Typography component="h1" variant="h4" align="center" gutterBottom>
         Almost there
       </Typography>
-      <form onSubmit={sendflask}>
+      <form onSubmit={handleSubmit}>
+        {/* Error Banner */}
         {duplicateUser && (
           <Typography component="h3" variant="body1" align="center" color="red">
             User already exists
@@ -87,31 +124,64 @@ function SignUp() {
             {errormessage}
           </Typography>
         )}
+
+        {/* Input fields */}
         <FormControl margin="normal" required fullWidth>
           <InputLabel htmlFor="fname">First name</InputLabel>
-          <Input id="fname" name="fname" autoFocus />
+          <Input
+            id="fname"
+            name="fname"
+            value={firstName}
+            onChange={function(e) { setFirstName(e.target.value); }}
+            autoFocus
+          />
         </FormControl>
         <FormControl margin="normal" required fullWidth>
           <InputLabel htmlFor="lname">Last name</InputLabel>
-          <Input id="lname" name="lname" autoFocus />
+          <Input
+            id="lname"
+            name="lname"
+            value={lastName}
+            onChange={function(e) { setLastName(e.target.value); }}
+            autoFocus
+          />
         </FormControl>
         <FormControl margin="normal" required fullWidth>
           <InputLabel htmlFor="email">
             Email Address (we never share your email)
           </InputLabel>
-          <Input id="email" name="email" autoComplete="email" />
+          <Input
+            id="email"
+            name="email"
+            value={email}
+            onChange={function(e) { setEmail(e.target.value); }}
+            autoComplete="email"
+          />
         </FormControl>
         <FormControl margin="normal" required fullWidth>
           <InputLabel htmlFor="password">
-            Password (min 8 characters)
+            Password (min {MIN_PASSWORD_LENGTH} characters)
           </InputLabel>
           <Input
-            name="password"
-            type="password"
             id="password"
+            name="password"
+            type={showPassword ? 'text' : 'password'}
             autoComplete="current-password"
+            onChange={function(e) {setPassword(e.target.value)}}
+            endAdornment={
+              <InputAdornment position="end">
+                <IconButton
+                  onClick={handleClickShowPassword}
+                  onMouseDown={handleMouseDownPassword}
+                  edge="end"
+                >
+                  {showPassword ? <VisibilityOff /> : <Visibility />}
+                </IconButton>
+              </InputAdornment>
+            }
           />
         </FormControl>
+
         <Button
           type="submit"
           fullWidth
diff --git a/server/user/models.py b/server/user/models.py
index 8de25367..a611200a 100644
--- a/server/user/models.py
+++ b/server/user/models.py
@@ -13,25 +13,32 @@ class User(Base):
     def set_password(self, password):
         self.password = argon2.generate_password_hash(password)
 
-    def check_password(self, passwd):
+    def check_password(self, password):
         """
         Check if the passwordhash  is in Argon2 or Bcrypt(old) format
         Resets the password hash to argon2 format if stored in bcrypt
         Returns value for login route
         """
+
+        # check password (if bcrypt hash)
+        try:
+            if bcrypt.check_password_hash(self.password, password):
+                self.set_password(password)
+                # pwd in bcrypt form and correct
+                return True
+        except ValueError as error:
+            print(error)
+
+        # check password (if argon2 hash)
         try:
-            if bcrypt.check_password_hash(self.password, passwd):
-                bpass = True
+            if argon2.check_password_hash(self.password, password):
+                self.set_password(password)
+                # pwd in argon2 form and correct
+                return True
         except ValueError as error:
             print(error)
-            bpass = False
-        if argon2.check_password_hash(self.password, passwd):
-            return True
-        elif not argon2.check_password_hash(self.password, passwd) and not bpass:
-            return False
-        elif not argon2.check_password_hash(self.password, passwd) and bpass:
-            self.set_password(passwd)
-            return True
+
+        return False
 
     def update_bio(self, new_bio):
         self.bio = new_bio
diff --git a/server/user/views.py b/server/user/views.py
index 05b21b8d..c458824e 100644
--- a/server/user/views.py
+++ b/server/user/views.py
@@ -48,23 +48,24 @@ def login():
     2. Checks password and if user is confirmed
     3. Logs in user next with access token
     """
+     
+    with Session() as session: 
+        jobj = request.get_json()
 
-    jobj = request.get_json()
-    with Session() as session:
         # need to inspect jobj. Is `email` actually username or is there also a `username`?
-        user = session.query(User).filter_by(username=jobj["email"]).first()
-        print(jobj)
+        user = session.query(User).filter_by(email=jobj["email"]).first()
+
         if user is None:
-            print("user does not exist")
-            return jsonify({"msg": "Wrong username or password"}), 200
+            print("User does not exist")
+            return jsonify({"msg": "WrongUsernameOrPassword"}), 200
 
         elif not user.check_password(jobj["password"]):
             print("Wrong password")
-            return jsonify({"msg": "wrong password"}), 200
+            return jsonify({"msg": "WrongUsernameOrPassword"}), 200
 
         elif user.active == 0:
             print("User not confirmed")
-            return jsonify({"msg": "NotConfirmed"}), 200
+            return jsonify({"msg": "UserNotConfirmed"}), 200
 
         else:
             user_g = session.query(UserGroups).filter_by(user_id=user.id).first()
@@ -89,8 +90,10 @@ def profile():
     """
     Function to edit and retrieve user profile information
     """
-    current_user = get_jwt_identity()
+
     with Session() as session:
+        current_user = get_jwt_identity()
+
         user = session.query(User).filter_by(username=current_user).first()
         if request.method == "GET":
             return (
@@ -138,8 +141,9 @@ def verifytoken():
 @jwt_required()
 def image():
     """Function to receive and set user image"""
-    current_user = get_jwt_identity()
+    
     with Session() as session:
+        current_user = get_jwt_identity()
         user = session.query(User).filter_by(username=current_user).first()
         f = request.files["file"]
         Path("dev_data/" + str(user.username)).mkdir(parents=True, exist_ok=True)
@@ -150,7 +154,7 @@ def image():
         user.update_image_address(path)
         session.merge(user)
         session.commit()
-    return jsonify({"msg": "User image changed"}), 200
+        return jsonify({"msg": "User image changed"}), 200
 
 
 @user_blueprint.route("/imgs/<path:path>")
@@ -181,9 +185,10 @@ def logout():
 @jwt_required()
 def apikey():
     """Change and retrieve API-Key"""
-    current_user = get_jwt_identity()
+
     with Session() as session:
-        user = session.query(User).filter(User.username == current_user).first()
+        current_user = get_jwt_identity()
+        user = session.query(User).filter_by(username=current_user).first()
         if request.method == "GET":
             api_key = user.session_hash
             return jsonify({"apikey": api_key}), 200
@@ -191,7 +196,10 @@ def apikey():
             user.set_session_hash()
             session.merge(user)
             session.commit()
-            return jsonify({"msg": "API Key updated"}), 200
+            return jsonify({
+                "msg": "API Key updated",
+                "apikey": user.session_hash
+            }), 200
 
 
 @user_blueprint.route("/delete", methods=["GET", "POST"])
@@ -208,37 +216,45 @@ def delete_user():
 @user_blueprint.route("/forgot-token", methods=["POST"])
 def forgot_token():
     """Check for forgotten_password_code"""
-    data = request.get_json()
+
     with Session() as session:
-        user = user_from_token(session, data, "forgotten_password_code")
-    if user is not None:
-        return jsonify({"msg": "token confirmed"}), 200
-    else:
+        data = request.get_json()
+        try:
+            user = user_from_token(session, data, "forgotten_password_code")
+            if user:
+                # user verified by token
+                return jsonify({"msg": "Token confirmed"}), 200
+        except ValueError as e:
+            print(e)
+
+        # user could not be verified by token
         return jsonify({"msg": "Error"}), 401
 
 
 @user_blueprint.route("/resetpassword", methods=["POST"])
 def reset():
     """Changes user password"""
-    data = request.get_json()
+
     with Session() as session:
+        data = request.get_json()
         user = user_from_token(session, data, "forgotten_password_code")
         user.set_password(data["password"])
         session.merge(user)
         session.commit()
-    return jsonify({"msg": "password changed"}), 200
+        return jsonify({"msg": "Password changed"}), 200
 
 
 @user_blueprint.route("/confirmation", methods=["POST"])
 def confirm_user():
     """Activates user"""
-    data = request.get_json()
+
     with Session() as session:
+        data = request.get_json()
         user = user_from_token(session, data, "activation_code")
         user.update_activation()
         session.merge(user)
         session.commit()
-    return jsonify({"msg": "User confirmed"}), 200
+        return jsonify({"msg": "User confirmed"}), 200
 
 
 def user_from_token(session: Session, data, token_name):
diff --git a/tests/conftest.py b/tests/conftest.py
index d884e084..de453932 100644
--- a/tests/conftest.py
+++ b/tests/conftest.py
@@ -4,12 +4,20 @@
 import pytest
 
 from autoapp import app
-from server.extensions import db
+from server.extensions import Session, engine, Base
+from server.user.models import User
 
 myPath = os.path.dirname(os.path.abspath(__file__))
 sys.path.insert(0, myPath + "/../")
 
 
+# Currently disable email in testing
+@pytest.fixture(scope="module", autouse=True)
+def disable_email_send():
+    os.environ['SEND_EMAIL'] = "False"
+    yield
+
+
 @pytest.fixture(scope="module")
 def test_client():
     flask_app = app
@@ -28,10 +36,32 @@ def test_client():
     ctx.pop()
 
 
-@pytest.fixture(scope="module")
-def init_database():
-    # Create the database and the database table
+# Note:
+# DB reset between tests currently needed with existing
+# implementation (standard transactions weren't possible)
+@pytest.fixture(scope="function", autouse=True)
+def session(test_user):
+    # Start w/ clean db. Drop and recreate the tables.
+    Base.metadata.drop_all(bind=engine)
+    Base.metadata.create_all(bind=engine)
+
+    session = Session()
+
+    # Add initial data
+    session.add(test_user)
+    session.commit()
+
+    yield session # run tests
+
 
-    # Insert user data
+@pytest.fixture(scope="function")
+def test_user():
+    user = User(email="test@test.com", username="testuser",
+                ip_address="1.2.3.4", created_on="0000",
+                company="0000", country="0000",
+                bio="No Bio", session_hash="0000",
+                forgotten_password_code="test_user_token",
+                active=1)
+    user.set_password("testpassword")
 
-    yield db  # this is where the testing happens!
+    return user
diff --git a/tests/test_collection_routes.py b/tests/test_collection_routes.py
index 900632fe..afbb0848 100644
--- a/tests/test_collection_routes.py
+++ b/tests/test_collection_routes.py
@@ -1,7 +1,7 @@
 import os
 
 
-def test_upload_collection_runs(test_client, init_database):
+def test_upload_collection_runs(test_client):
     test_client.post(
         "/login", json={"email": "ff@ff.com", "password": "ff"}, follow_redirects=True
     )
@@ -20,7 +20,7 @@ def test_upload_collection_runs(test_client, init_database):
     assert response.status_code == 200
 
 
-def test_upload_collection_tasks(test_client, init_database):
+def test_upload_collection_tasks(test_client):
     access_token = str(os.environ.get("TEST_ACCESS_TOKEN"))
     headers = {"Authorization": "Bearer {}".format(access_token)}
     json_obj = {
diff --git a/tests/test_data_routes.py b/tests/test_data_routes.py
index 52770546..765a456d 100644
--- a/tests/test_data_routes.py
+++ b/tests/test_data_routes.py
@@ -1,4 +1,4 @@
-def test_data_upload(test_client, init_database):
+def test_data_upload(test_client):
     # access_token = str(os.environ.get('TEST_ACCESS_TOKEN'))
     # headers = {
     #     'Authorization': 'Bearer {}'.format(access_token)
diff --git a/tests/test_public_routes.py b/tests/test_public_routes.py
index 4267f746..43a65600 100644
--- a/tests/test_public_routes.py
+++ b/tests/test_public_routes.py
@@ -3,7 +3,7 @@
 uname = "test_user" + names.get_first_name()
 
 
-def test_signup(test_client, init_database):
+def test_signup(test_client):
     response = test_client.post(
         "/signup",
         json={
@@ -17,14 +17,14 @@ def test_signup(test_client, init_database):
     assert response.status_code == 200
 
 
-def test_forgot_password(test_client, init_database):
+def test_forgot_password(test_client):
     response = test_client.post(
         "/forgotpassword", json={"email": "ff@ff.com"}, follow_redirects=True
     )
     assert response.status_code == 200
 
 
-def test_confirmation_token(test_client, init_database):
+def test_confirmation_token(test_client):
     response = test_client.post(
         "/send-confirmation-token", json={"email": "ff@ff.com"}, follow_redirects=True
     )
diff --git a/tests/test_task_routes.py b/tests/test_task_routes.py
index fa27b9e0..f38778f6 100644
--- a/tests/test_task_routes.py
+++ b/tests/test_task_routes.py
@@ -1,7 +1,7 @@
 import os
 
 
-def test_upload_task(test_client, init_database):
+def test_upload_task(test_client):
     response = test_client.post(
         "/login", json={"email": "ff@ff.com", "password": "ff"}, follow_redirects=True
     )
diff --git a/tests/test_user_routes.py b/tests/test_user_routes.py
index e7fccf9b..e61b6d2a 100644
--- a/tests/test_user_routes.py
+++ b/tests/test_user_routes.py
@@ -1,101 +1,257 @@
 import os
 
 import pytest
-from server.extensions import Session
 
 from server.user.models import User
 
 
-@pytest.fixture(scope="module")
-def test_user():
-    user1 = User(email="abc@abc.com", username="abc")
-    user1.set_password("abcabc")
-    with Session() as session:
-        session.add(user1)
-        session.commit()
-        yield
+@pytest.fixture(scope="function", autouse=True)
+def setup(session, valid_user, unconfirmed_user):
+    session.add(valid_user)
+    session.add(unconfirmed_user)
+    session.commit()
+    yield
+
+@pytest.fixture(scope="function")
+def valid_user():
+    user = User(
+        email="abc@abc.com",
+        username="abc",
+        ip_address="1.2.3.4",
+        created_on="0000",
+        company="0000",
+        country="0000",
+        bio="No Bio",
+        session_hash="0000",
+        forgotten_password_code="valid_user_token",
+        active=1
+    )
+    user.set_password("abcabc")
+    
+    return user
+
+
+@pytest.fixture(scope="function")
+def unconfirmed_user():
+    user = User(
+        email="ff@ff.com",
+        username="ff",
+        ip_address="1.2.3.4",
+        created_on="0000",
+        company="0000",
+        country="0000",
+        bio="No Bio",
+        session_hash="0000",
+        activation_code="0000",
+        forgotten_password_code="5678",
+        active=0
+    )
+    user.set_password("ff")
+    
+    return user
 
 
-def test_confirm_user(test_client, init_database):
-    with Session() as session:
-        user = session.query(User).filter_by(email="ff@ff.com").first()
-    url = "?token=" + str(user.activation_code)
+def login(test_client, email, password):
     response = test_client.post(
-        "/confirmation", json={"url": url, "password": "ff"}, follow_redirects=True
+        "/login", json={"email": email, "password": password}, follow_redirects=True
     )
+    return response
+
+
+def test_signup(test_client, session):
+    registration_data = {
+        "email": "new@user.com",
+        "password": "newpassword",
+        "first_name": "Ana",
+        "last_name": "Brown"
+    }
+
+    user_before_signup = session.query(User).filter_by(email=registration_data["email"]).first()
+
+    response = test_client.post(
+        "/signup",
+        json={
+            "email": registration_data["email"],
+            "password": registration_data["password"],
+            "first_name": registration_data["first_name"],
+            "last_name": registration_data["last_name"]
+        }
+    )
+
+    registered_user = session.query(User).filter_by(email=registration_data["email"]).first()
+
+    assert user_before_signup == None
+    assert registered_user.check_password(registration_data["password"])
+    assert registered_user.first_name == registration_data["first_name"]
+    assert registered_user.last_name == registration_data["last_name"]
     assert response.status_code == 200
 
+    session.delete(registered_user)
+    session.commit()
 
-def test_login(test_client, init_database):
+
+def test_confirm_user(test_client, unconfirmed_user):
+    url = "?token=" + str(unconfirmed_user.activation_code)
     response = test_client.post(
-        "/login", json={"email": "ff@ff.com", "password": "ff"}, follow_redirects=True
+        "/confirmation", json={"url": url, "password": "ff"}, follow_redirects=True
     )
+
+    assert response.status_code == 200
+
+
+def test_login(test_client, valid_user):
+    response = login(test_client, valid_user.email, "abcabc")
+
+    assert response.json["access_token"]
+    assert response.status_code == 200
+
+
+def test_login_wrong_password(test_client, valid_user):
+    response = login(test_client, valid_user.email, "wrongpassword")
+
+    assert response.json["msg"] == "WrongUsernameOrPassword"
+    assert response.status_code == 200
+
+
+def test_login_user_not_existent(test_client):
+    response = login(test_client, "fake@user.com", "wrongpassword")
+
+    assert response.json["msg"] == "WrongUsernameOrPassword"
+    assert response.status_code == 200
+
+
+def test_login_user_not_confirmed(test_client, unconfirmed_user):
+    response = login(test_client, unconfirmed_user.email, "ff")
+
+    assert response.json["msg"] == "UserNotConfirmed"
     assert response.status_code == 200
 
 
-def test_profile(test_client, init_database):
+def test_get_profile(test_client, valid_user):
+    login(test_client, valid_user.email, "abcabc")
+
     access_token = str(os.environ.get("TEST_ACCESS_TOKEN"))
     headers = {"Authorization": "Bearer {}".format(access_token)}
     response = test_client.get("/profile", headers=headers)
-    with Session() as session:
-        user = session.query(User).filter_by(email=response.json["email"]).first()
-        assert response.status_code == 200
-        assert session.query(User).filter_by(email="ff@ff.com").first() == user
+    
+    retrieved_profile = response.json
+
+    profile = {
+        "username": valid_user.username,
+        "bio": valid_user.bio,
+        "first_name": valid_user.first_name,
+        "last_name": valid_user.last_name,
+        "email": valid_user.email,
+        "image": valid_user.image,
+        "id": valid_user.id
+    }
+
+    assert response.status_code == 200
+    assert retrieved_profile == profile
 
 
-def test_profile_changes(test_client, init_database):
+def test_profile_changes(test_client, session, valid_user):
+    login(test_client, valid_user.email, "abcabc")
+
     access_token = str(os.environ.get("TEST_ACCESS_TOKEN"))
     headers = {"Authorization": "Bearer {}".format(access_token)}
-    response = test_client.post(
-        "/profile",
-        headers=headers,
-        json={
-            "bio": "ss bio",
-            "first_name": "ssd",
-            "last_name": "sds",
-            "image": "",
-            "email": "ff@ff.com",
-        },
-    )
+
+    changes = {
+        "bio": "newbio",
+        "first_name": "newfirstname",
+        "last_name": "newlastname",
+        "image": "newimage",
+        "email": valid_user.email,
+    }
+
+    response = test_client.post("/profile", headers=headers, json=changes)
+    session.refresh(valid_user)
+
+    assert valid_user.bio == changes["bio"]
+    assert valid_user.first_name == changes["first_name"]
+    assert valid_user.last_name == changes["last_name"]
+    # note/todo: currently not testing image. image update functionality
+    # not implemented yet in views.py::profile
+    assert valid_user.email == changes["email"]
+    assert response.json["msg"] == "User information changed"
     assert response.status_code == 200
 
 
-def test_api_key_get(test_client, init_database):
+def test_api_key_get(test_client, valid_user):
+    login(test_client, valid_user.email, "abcabc")
+
     access_token = str(os.environ.get("TEST_ACCESS_TOKEN"))
     headers = {"Authorization": "Bearer {}".format(access_token)}
     response = test_client.get("/api-key", headers=headers)
+
+    assert response.json["apikey"] == valid_user.session_hash
     assert response.status_code == 200
 
 
-def test_api_key_post(test_client, init_database):
+def test_api_key_post(test_client, session, valid_user):
+    login(test_client, valid_user.email, "abcabc")
+
+    old_session_hash = valid_user.session_hash
+
     access_token = str(os.environ.get("TEST_ACCESS_TOKEN"))
     headers = {"Authorization": "Bearer {}".format(access_token)}
     response = test_client.post("/api-key", headers=headers)
+
+    session.refresh(valid_user)
+
+    # confirm session hash has been updated
+    assert valid_user.session_hash != old_session_hash
+    assert response.json["apikey"] == valid_user.session_hash
+    assert response.json["msg"] == "API Key updated"
     assert response.status_code == 200
 
 
-def test_logout(test_client, init_database):
+def test_logout(test_client, valid_user):
+    login(test_client, valid_user.email, "abcabc")
+
     access_token = str(os.environ.get("TEST_ACCESS_TOKEN"))
     headers = {"Authorization": "Bearer {}".format(access_token)}
     response = test_client.get("/logout", headers=headers)
+
     assert response.status_code == 200
 
 
-def test_forgot_token(test_client, init_database):
-    with Session() as session:
-        user = session.query(User).filter_by(email="ff@ff.com").first()
-    url = "?token=" + str(user.forgotten_password_code)
+def test_forgot_token(test_client, valid_user):
+    login(test_client, valid_user.email, "abcabc")
+
+    url = "?token=" + str(valid_user.forgotten_password_code)
     response = test_client.post(
         "/forgot-token", json={"url": url}, follow_redirects=True
     )
+
+    assert response.json["msg"] == "Token confirmed"
     assert response.status_code == 200
 
 
-def test_reset_password(test_client, init_database):
-    with Session() as session:
-        user = session.query(User).filter_by(email="ff@ff.com").first()
-    url = "?token=" + str(user.forgotten_password_code)
+def test_forgot_token_invalid_token(test_client, valid_user):
+    login(test_client, valid_user.email, "abcabc")
+
+    url = "?token=faketoken"
+    response = test_client.post(
+        "/forgot-token", json={"url": url}, follow_redirects=True
+    )
+
+    assert response.json["msg"] == "Error"
+    assert response.status_code == 401
+
+
+def test_reset_password(test_client, session, valid_user):
+    login(test_client, valid_user.email, "abcabc")
+
+    new_password = "newpassword"
+
+    url = "?token=" + str(valid_user.forgotten_password_code)
     response = test_client.post(
-        "/forgot-token", json={"url": url, "password": "ff"}, follow_redirects=True
+        "/resetpassword", json={"url": url, "password": new_password}, follow_redirects=True
     )
+
+    session.refresh(valid_user)
+
+    assert valid_user.check_password(new_password)
+    assert response.json["msg"] == "Password changed"
     assert response.status_code == 200