diff --git a/drama/helpers/wrappers.py b/drama/helpers/wrappers.py
index d19caf5b4..3e852aeb7 100644
--- a/drama/helpers/wrappers.py
+++ b/drama/helpers/wrappers.py
@@ -4,26 +4,19 @@ from .alerts import send_notification
 from drama.__main__ import app
 
 
-def get_logged_in_user(db=None):
-
-	if not db:
-		db=g.db
+def get_logged_in_user():
 
 	if request.headers.get("Authorization"):
 		token = request.headers.get("Authorization")
 		if not token: return None, None
 
 		token = token.split()
-		if len(token) < 2:
-			return None, None
+		if len(token) < 2: return None, None
 
 		token = token[1]
-		if not token:
-			return None, None
+		if not token: return None, None
 
-		client = db.query(ClientAuth).filter(
-			ClientAuth.access_token == token).first()
-			#ClientAuth.access_token_expire_utc > int(time.time()
+		client = g.db.query(ClientAuth).filter(ClientAuth.access_token == token).first()
 
 		x = (client.user, client) if client else (None, None)
 
@@ -239,31 +232,6 @@ def validate_formkey(f):
 	wrapper.__name__ = f.__name__
 	return wrapper
 
-
-def no_cors(f):
-	"""
-	Decorator prevents content being iframe'd
-	"""
-
-	def wrapper(*args, **kwargs):
-
-		origin = request.headers.get("Origin", None)
-
-		if origin and origin != "https://" + app.config["SERVER_NAME"] and app.config["FORCE_HTTPS"]==1:
-
-			return "This page may not be embedded in other webpages.", 403
-
-		resp = make_response(f(*args, **kwargs))
-		resp.headers.add("Access-Control-Allow-Origin",
-						 app.config["SERVER_NAME"]
-						 )
-
-		return resp
-
-	wrapper.__name__ = f.__name__
-	return wrapper
-
-
 def api(*scopes, no_ban=False):
 
 	def wrapper_maker(f):
diff --git a/drama/routes/login.py b/drama/routes/login.py
index db767c792..ea0c1ab70 100644
--- a/drama/routes/login.py
+++ b/drama/routes/login.py
@@ -7,7 +7,6 @@ valid_password_regex = re.compile("^.{8,100}$")
 
 
 @app.get("/login")
-@no_cors
 @auth_desired
 def login_get(v):
 
@@ -51,7 +50,6 @@ def check_for_alts(current_id):
 # login post procedure
 
 
-@no_cors
 @app.post("/login")
 @limiter.limit("6/minute")
 def login_post():
@@ -152,7 +150,6 @@ def logout(v):
 
 
 @app.get("/signup")
-@no_cors
 @auth_desired
 def sign_up_get(v):
 	with open('./disablesignups', 'r') as f:
@@ -207,7 +204,6 @@ def sign_up_get(v):
 
 
 @app.post("/signup")
-@no_cors
 @auth_desired
 def sign_up_post(v):
 	with open('./disablesignups', 'r') as f:
diff --git a/drama/routes/oauth.py b/drama/routes/oauth.py
index 891a649ab..a16485b53 100644
--- a/drama/routes/oauth.py
+++ b/drama/routes/oauth.py
@@ -79,143 +79,25 @@ def oauth_authorize_prompt(v):
 						   )
 
 
-@app.post("/oauth/authorize")
+@app.post("/authorize")
 @auth_required
 @validate_formkey
-def oauth_authorize_post(v):
+def oauth(v):
 
 	client_id = request.form.get("client_id")
-	scopes_txt = request.form.get("scopes")
-	state = request.form.get("state")
-	redirect_uri = request.form.get("redirect_uri")
-
 	application = g.db.query(OauthApp).filter_by(client_id=client_id).first()
-	if not application:
-		return {"oauth_error": "Invalid `client_id`"}, 401
-	if application.is_banned:
-		return {"oauth_error": f"Application `{application.app_name}` is suspended."}, 403
-
-	valid_redirect_uris = [x.strip()
-						   for x in application.redirect_uri.split(",")]
-	if redirect_uri not in valid_redirect_uris:
-		return {"oauth_error": "Invalid redirect_uri"}, 400
-
-	scopes = scopes_txt.split(',')
-	if not scopes:
-		return {"oauth_error": "One or more scopes must be specified as a comma-separated list"}, 400
-
-	for scope in scopes:
-		if scope not in SCOPES:
-			return {"oauth_error": f"The provided scope `{scope}` is not valid."}, 400
-
-	if any(x in scopes for x in ["create", "update"]) and "identity" not in scopes:
-		return {"oauth_error": f"`identity` scope required when requesting `create` or `update` scope."}, 400
-
-	if not state:
-		return {'oauth_error': 'state argument required'}, 400
-
-	permanent = bool(int(request.values.get("permanent", 0)))
-
+	if not application: return {"oauth_error": "Invalid `client_id`"}, 401
+	if application.is_banned: return {"oauth_error": f"Application `{application.app_name}` is suspended."}, 403
+	access_token = secrets.token_urlsafe(128)[:128]
 	new_auth = ClientAuth(
-		oauth_client=application.id,
-		oauth_code=secrets.token_urlsafe(128)[:128],
-		user_id=v.id,
-		scope_identity="identity" in scopes,
-		scope_create="create" in scopes,
-		scope_read="read" in scopes,
-		scope_update="update" in scopes,
-		scope_delete="delete" in scopes,
-		scope_vote="vote" in scopes,
-		refresh_token=secrets.token_urlsafe(128)[:128] if permanent else None
+		oauth_client = application.id,
+		user_id = v.id,
+		access_token=access_token
 	)
 
 	g.db.add(new_auth)
 
-	return redirect(f"{redirect_uri}?code={new_auth.oauth_code}&scopes={scopes_txt}&state={state}")
-
-
-@app.post("/oauth/grant")
-def oauth_grant():
-	'''
-	This endpoint takes the following parameters:
-	* code - The code parameter provided in the redirect
-	* client_id - Your client ID
-	* client_secret - your client secret
-	'''
-
-	application = g.db.query(OauthApp).filter_by(
-		client_id=request.values.get("client_id"),
-		client_secret=request.values.get("client_secret")).first()
-	if not application:
-		return {"oauth_error": "Invalid `client_id` or `client_secret`"}, 401
-	if application.is_banned:
-		return {"oauth_error": f"Application `{application.app_name}` is suspended."}, 403
-
-	if request.values.get("grant_type") == "code":
-
-		code = request.values.get("code")
-		if not code:
-			return {"oauth_error": "code required"}, 400
-
-		auth = g.db.query(ClientAuth).filter_by(
-			oauth_code=code,
-			access_token=None,
-			oauth_client=application.id
-		).first()
-
-		if not auth:
-			return {"oauth_error": "Invalid code"}, 401
-
-		auth.oauth_code = None
-		auth.access_token = secrets.token_urlsafe(128)[:128]
-		auth.access_token_expire_utc = int(time.time()) + 60 * 60
-
-		g.db.add(auth)
-
-		g.db.commit()
-
-		data = {
-			"access_token": auth.access_token,
-			"scopes": auth.scopelist,
-			"expires_at": auth.access_token_expire_utc,
-			"token_type": "Bearer"
-		}
-
-		if auth.refresh_token:
-			data["refresh_token"] = auth.refresh_token
-
-		return data
-
-	elif request.values.get("grant_type") == "refresh":
-
-		refresh_token = request.values.get('refresh_token')
-		if not refresh_token:
-			return {"oauth_error": "refresh_token required"}, 401
-
-		auth = g.db.query(ClientAuth).filter_by(
-			refresh_token=refresh_token,
-			oauth_code=None,
-			oauth_client=application.id
-		).first()
-
-		if not auth:
-			return {"oauth_error": "Invalid refresh_token"}, 401
-
-		auth.access_token = secrets.token_urlsafe(128)[:128]
-		auth.access_token_expire_utc = int(time.time()) + 60 * 60
-
-		g.db.add(auth)
-
-		data = {
-			"access_token": auth.access_token,
-			"scopes": auth.scopelist,
-			"expires_at": auth.access_token_expire_utc
-		}
-
-		return data
-
-	else:
-		return {"oauth_error": f"Invalid grant_type `{request.values.get('grant_type','')}`. Expected `code` or `refresh`."}, 400
+	return redirect(f"{application.redirect_uri}?token={access_token}")
 
 
 @app.post("/api_keys")