NEW: user accounts (#3)

2020-06-13 19:12:02 -07:00 · 2020-06-13 19:12:02 -07:00 · 9990771c18
commit 9990771c18
parent d02c491028
31 changed files with 1640 additions and 207 deletions
--- a/assets/css/app.scss
+++ b/assets/css/app.scss
@ -1,31 +0,0 @@
 /* This file is for your main application css. */
@import "./phoenix.css";
 /* Alerts and form errors */
 .alert {
  padding: 15px;
  margin-bottom: 20px;
  border: 1px solid transparent;
  border-radius: 4px;
 }
 .alert-info {
  color: #31708f;
  background-color: #d9edf7;
  border-color: #bce8f1;
 }
 .alert-warning {
  color: #8a6d3b;
  background-color: #fcf8e3;
  border-color: #faebcc;
 }
 .alert-danger {
  color: #a94442;
  background-color: #f2dede;
  border-color: #ebccd1;
 }
 .alert p {
  margin-bottom: 0;
 }
 .alert:empty {
  display: none;
 }
--- a/assets/css/phoenix.css
+++ b/assets/css/phoenix.css
--- a/config/test.exs
+++ b/config/test.exs
@ -1,5 +1,8 @@
 use Mix.Config
 # Only in tests, remove the complexity from the password hashing algorithm
 config :bcrypt_elixir, :log_rounds, 1
 # Configure your database
 #
 # The MIX_TEST_PARTITION environment variable can be used
--- a/lib/mix/tasks/planner.register.ex
+++ b/lib/mix/tasks/planner.register.ex
@ -0,0 +1,20 @@
 defmodule Mix.Tasks.Planner.Register do
  use Mix.Task
  alias Planner.Accounts
  @shortdoc "Register a new Planner user"
  def run([email, password]) do
    Mix.Task.run("app.start")
    case Accounts.register_user(%{email: email, password: password}) do
      {:ok, _} ->
        Mix.shell().info("User created successfully.")
      {:error, %Ecto.Changeset{} = changeset} ->
        IO.inspect(changeset)
        Mix.shell().error("There was a problem.")
    end
  end
 end
--- a/lib/planner/accounts.ex
+++ b/lib/planner/accounts.ex
@ -0,0 +1,292 @@
 defmodule Planner.Accounts do
  @moduledoc """
  The Accounts context.
  """
  import Ecto.Query, warn: false
  alias Planner.Repo
  alias Planner.Accounts.{User, UserToken, UserNotifier}
  ## Database getters
  @doc """
  Gets a user by email.
  ## Examples
      iex> get_user_by_email("foo@example.com")
      %User{}
      iex> get_user_by_email("unknown@example.com")
      nil
  """
  def get_user_by_email(email) when is_binary(email) do
    Repo.get_by(User, email: email)
  end
  @doc """
  Gets a user by email and password.
  ## Examples
      iex> get_user_by_email_and_password("foo@example.com", "correct_password")
      %User{}
      iex> get_user_by_email_and_password("foo@example.com", "invalid_password")
      nil
  """
  def get_user_by_email_and_password(email, password)
      when is_binary(email) and is_binary(password) do
    user = Repo.get_by(User, email: email)
    if User.valid_password?(user, password), do: user
  end
  @doc """
  Gets a single user.
  Raises `Ecto.NoResultsError` if the User does not exist.
  ## Examples
      iex> get_user!(123)
      %User{}
      iex> get_user!(456)
      ** (Ecto.NoResultsError)
  """
  def get_user!(id), do: Repo.get!(User, id)
  ## User registration
  @doc """
  Registers a user.
  ## Examples
      iex> register_user(%{field: value})
      {:ok, %User{}}
      iex> register_user(%{field: bad_value})
      {:error, %Ecto.Changeset{}}
  """
  def register_user(attrs) do
    %User{}
    |> User.registration_changeset(attrs)
    # Inline the confirmation, for now (MRD)
    |> User.confirm_changeset()
    |> Repo.insert()
  end
  ## Settings
  @doc """
  Returns an `%Ecto.Changeset{}` for changing the user e-mail.
  ## Examples
      iex> change_user_email(user)
      %Ecto.Changeset{data: %User{}}
  """
  def change_user_email(user, attrs \\ %{}) do
    User.email_changeset(user, attrs)
  end
  @doc """
  Emulates that the e-mail will change without actually changing
  it in the database.
  ## Examples
      iex> apply_user_email(user, "valid password", %{email: ...})
      {:ok, %User{}}
      iex> apply_user_email(user, "invalid password", %{email: ...})
      {:error, %Ecto.Changeset{}}
  """
  def apply_user_email(user, password, attrs) do
    user
    |> User.email_changeset(attrs)
    |> User.validate_current_password(password)
    |> Ecto.Changeset.apply_action(:update)
  end
  @doc """
  Updates the user e-mail in token.
  If the token matches, the user email is updated and the token is deleted.
  The confirmed_at date is also updated to the current time.
  """
  def update_user_email(user, token) do
    context = "change:#{user.email}"
    with {:ok, query} <- UserToken.verify_change_email_token_query(token, context),
         %UserToken{sent_to: email} <- Repo.one(query),
         {:ok, _} <- Repo.transaction(user_email_multi(user, email, context)) do
      :ok
    else
      _ -> :error
    end
  end
  defp user_email_multi(user, email, context) do
    changeset = user |> User.email_changeset(%{email: email}) |> User.confirm_changeset()
    Ecto.Multi.new()
    |> Ecto.Multi.update(:user, changeset)
    |> Ecto.Multi.delete_all(:tokens, UserToken.user_and_contexts_query(user, [context]))
  end
  @doc """
  Delivers the update e-mail instructions to the given user.
  ## Examples
      iex> deliver_update_email_instructions(user, current_email, &Routes.user_update_email_url(conn, :edit, &1))
      {:ok, %{to: ..., body: ...}}
  """
  def deliver_update_email_instructions(%User{} = user, current_email, update_email_url_fun)
      when is_function(update_email_url_fun, 1) do
    {encoded_token, user_token} = UserToken.build_email_token(user, "change:#{current_email}")
    Repo.insert!(user_token)
    UserNotifier.deliver_update_email_instructions(user, update_email_url_fun.(encoded_token))
  end
  @doc """
  Returns an `%Ecto.Changeset{}` for changing the user password.
  ## Examples
      iex> change_user_password(user)
      %Ecto.Changeset{data: %User{}}
  """
  def change_user_password(user, attrs \\ %{}) do
    User.password_changeset(user, attrs)
  end
  @doc """
  Updates the user password.
  ## Examples
      iex> update_user_password(user, "valid password", %{password: ...})
      {:ok, %User{}}
      iex> update_user_password(user, "invalid password", %{password: ...})
      {:error, %Ecto.Changeset{}}
  """
  def update_user_password(user, password, attrs) do
    changeset =
      user
      |> User.password_changeset(attrs)
      |> User.validate_current_password(password)
    Ecto.Multi.new()
    |> Ecto.Multi.update(:user, changeset)
    |> Ecto.Multi.delete_all(:tokens, UserToken.user_and_contexts_query(user, :all))
    |> Repo.transaction()
    |> case do
      {:ok, %{user: user}} -> {:ok, user}
      {:error, :user, changeset, _} -> {:error, changeset}
    end
  end
  ## Session
  @doc """
  Generates a session token.
  """
  def generate_user_session_token(user) do
    {token, user_token} = UserToken.build_session_token(user)
    Repo.insert!(user_token)
    token
  end
  @doc """
  Gets the user with the given signed token.
  """
  def get_user_by_session_token(token) do
    {:ok, query} = UserToken.verify_session_token_query(token)
    Repo.one(query)
  end
  @doc """
  Deletes the signed token with the given context.
  """
  def delete_session_token(token) do
    Repo.delete_all(UserToken.token_and_context_query(token, "session"))
    :ok
  end
  ## Reset password
  @doc """
  Delivers the reset password e-mail to the given user.
  ## Examples
      iex> deliver_user_reset_password_instructions(user, &Routes.user_reset_password_url(conn, :edit, &1))
      {:ok, %{to: ..., body: ...}}
  """
  def deliver_user_reset_password_instructions(%User{} = user, reset_password_url_fun)
      when is_function(reset_password_url_fun, 1) do
    {encoded_token, user_token} = UserToken.build_email_token(user, "reset_password")
    Repo.insert!(user_token)
    UserNotifier.deliver_reset_password_instructions(user, reset_password_url_fun.(encoded_token))
  end
  @doc """
  Gets the user by reset password token.
  ## Examples
      iex> get_user_by_reset_password_token("validtoken")
      %User{}
      iex> get_user_by_reset_password_token("invalidtoken")
      nil
  """
  def get_user_by_reset_password_token(token) do
    with {:ok, query} <- UserToken.verify_email_token_query(token, "reset_password"),
         %User{} = user <- Repo.one(query) do
      user
    else
      _ -> nil
    end
  end
  @doc """
  Resets the user password.
  ## Examples
      iex> reset_user_password(user, %{password: "new long password", password_confirmation: "new long password"})
      {:ok, %User{}}
      iex> reset_user_password(user, %{password: "valid", password_confirmation: "not the same"})
      {:error, %Ecto.Changeset{}}
  """
  def reset_user_password(user, attrs) do
    Ecto.Multi.new()
    |> Ecto.Multi.update(:user, User.password_changeset(user, attrs))
    |> Ecto.Multi.delete_all(:tokens, UserToken.user_and_contexts_query(user, :all))
    |> Repo.transaction()
    |> case do
      {:ok, %{user: user}} -> {:ok, user}
      {:error, :user, changeset, _} -> {:error, changeset}
    end
  end
 end
--- a/lib/planner/accounts/user.ex
+++ b/lib/planner/accounts/user.ex
@ -0,0 +1,113 @@
 defmodule Planner.Accounts.User do
  use Ecto.Schema
  import Ecto.Changeset
  @derive {Inspect, except: [:password]}
  schema "users" do
    field(:email, :string)
    field(:password, :string, virtual: true)
    field(:hashed_password, :string)
    field(:confirmed_at, :naive_datetime)
    timestamps()
  end
  @doc """
  A user changeset for registration.
  It is important to validate the length of both e-mail and password.
  Otherwise databases may truncate the e-mail without warnings, which
  could lead to unpredictable or insecure behaviour. Long passwords may
  also be very expensive to hash for certain algorithms.
  """
  def registration_changeset(user, attrs) do
    user
    |> cast(attrs, [:email, :password])
    |> validate_email()
    |> validate_password()
  end
  defp validate_email(changeset) do
    changeset
    |> validate_required([:email])
    |> validate_format(:email, ~r/^[^\s]+@[^\s]+$/, message: "must have the @ sign and no spaces")
    |> validate_length(:email, max: 160)
    |> unsafe_validate_unique(:email, Planner.Repo)
    |> unique_constraint(:email)
  end
  defp validate_password(changeset) do
    changeset
    |> validate_required([:password])
    |> validate_length(:password, min: 8, max: 80)
    |> prepare_changes(&hash_password/1)
  end
  defp hash_password(changeset) do
    password = get_change(changeset, :password)
    changeset
    |> put_change(:hashed_password, Bcrypt.hash_pwd_salt(password))
    |> delete_change(:password)
  end
  @doc """
  A user changeset for changing the e-mail.
  It requires the e-mail to change otherwise an error is added.
  """
  def email_changeset(user, attrs) do
    user
    |> cast(attrs, [:email])
    |> validate_email()
    |> case do
      %{changes: %{email: _}} = changeset -> changeset
      %{} = changeset -> add_error(changeset, :email, "did not change")
    end
  end
  @doc """
  A user changeset for changing the password.
  """
  def password_changeset(user, attrs) do
    user
    |> cast(attrs, [:password])
    |> validate_confirmation(:password, message: "does not match password")
    |> validate_password()
  end
  @doc """
  Confirms the account by setting `confirmed_at`.
  """
  def confirm_changeset(user) do
    now = NaiveDateTime.utc_now() |> NaiveDateTime.truncate(:second)
    change(user, confirmed_at: now)
  end
  @doc """
  Verifies the password.
  If there is no user or the user doesn't have a password, we call
  `Bcrypt.no_user_verify/0` to avoid timing attacks.
  """
  def valid_password?(%Planner.Accounts.User{hashed_password: hashed_password}, password)
      when is_binary(hashed_password) and byte_size(password) > 0 do
    Bcrypt.verify_pass(password, hashed_password)
  end
  def valid_password?(_, _) do
    Bcrypt.no_user_verify()
    false
  end
  @doc """
  Validates the current password otherwise adds an error to the changeset.
  """
  def validate_current_password(changeset, password) do
    if valid_password?(changeset.data, password) do
      changeset
    else
      add_error(changeset, :current_password, "is not valid")
    end
  end
 end
--- a/lib/planner/accounts/user_notifier.ex
+++ b/lib/planner/accounts/user_notifier.ex
@ -0,0 +1,73 @@
 defmodule Planner.Accounts.UserNotifier do
  # For simplicity, this module simply logs messages to the terminal.
  # You should replace it by a proper e-mail or notification tool, such as:
  #
  #   * Swoosh - https://hexdocs.pm/swoosh
  #   * Bamboo - https://hexdocs.pm/bamboo
  #
  defp deliver(to, body) do
    require Logger
    Logger.debug(body)
    {:ok, %{to: to, body: body}}
  end
  @doc """
  Deliver instructions to confirm account.
  """
  def deliver_confirmation_instructions(user, url) do
    deliver(user.email, """
    ==============================
    Hi #{user.email},
    You can confirm your account by visiting the url below:
    #{url}
    If you didn't create an account with us, please ignore this.
    ==============================
    """)
  end
  @doc """
  Deliver instructions to reset password account.
  """
  def deliver_reset_password_instructions(user, url) do
    deliver(user.email, """
    ==============================
    Hi #{user.email},
    You can reset your password by visiting the url below:
    #{url}
    If you didn't request this change, please ignore this.
    ==============================
    """)
  end
  @doc """
  Deliver instructions to update your e-mail.
  """
  def deliver_update_email_instructions(user, url) do
    deliver(user.email, """
    ==============================
    Hi #{user.email},
    You can change your e-mail by visiting the url below:
    #{url}
    If you didn't request this change, please ignore this.
    ==============================
    """)
  end
 end
--- a/lib/planner/accounts/user_token.ex
+++ b/lib/planner/accounts/user_token.ex
@ -0,0 +1,139 @@
 defmodule Planner.Accounts.UserToken do
  use Ecto.Schema
  import Ecto.Query
  @hash_algorithm :sha256
  @rand_size 32
  # It is very important to keep the reset password token expiry short,
  # since someone with access to the e-mail may take over the account.
  @reset_password_validity_in_days 1
  @confirm_validity_in_days 7
  @change_email_validity_in_days 7
  @session_validity_in_days 60
  schema "users_tokens" do
    field :token, :binary
    field :context, :string
    field :sent_to, :string
    belongs_to :user, Planner.Accounts.User
    timestamps(updated_at: false)
  end
  @doc """
  Generates a token that will be stored in a signed place,
  such as session or cookie. As they are signed, those
  tokens do not need to be hashed.
  """
  def build_session_token(user) do
    token = :crypto.strong_rand_bytes(@rand_size)
    {token, %Planner.Accounts.UserToken{token: token, context: "session", user_id: user.id}}
  end
  @doc """
  Checks if the token is valid and returns its underlying lookup query.
  The query returns the user found by the token.
  """
  def verify_session_token_query(token) do
    query =
      from token in token_and_context_query(token, "session"),
        join: user in assoc(token, :user),
        where: token.inserted_at > ago(@session_validity_in_days, "day"),
        select: user
    {:ok, query}
  end
  @doc """
  Builds a token with a hashed counter part.
  The non-hashed token is sent to the user e-mail while the
  hashed part is stored in the database, to avoid reconstruction.
  The token is valid for a week as long as users don't change
  their email.
  """
  def build_email_token(user, context) do
    build_hashed_token(user, context, user.email)
  end
  defp build_hashed_token(user, context, sent_to) do
    token = :crypto.strong_rand_bytes(@rand_size)
    hashed_token = :crypto.hash(@hash_algorithm, token)
    {Base.url_encode64(token, padding: false),
     %Planner.Accounts.UserToken{
       token: hashed_token,
       context: context,
       sent_to: sent_to,
       user_id: user.id
     }}
  end
  @doc """
  Checks if the token is valid and returns its underlying lookup query.
  The query returns the user found by the token.
  """
  def verify_email_token_query(token, context) do
    case Base.url_decode64(token, padding: false) do
      {:ok, decoded_token} ->
        hashed_token = :crypto.hash(@hash_algorithm, decoded_token)
        days = days_for_context(context)
        query =
          from token in token_and_context_query(hashed_token, context),
            join: user in assoc(token, :user),
            where: token.inserted_at > ago(^days, "day") and token.sent_to == user.email,
            select: user
        {:ok, query}
      :error ->
        :error
    end
  end
  defp days_for_context("confirm"), do: @confirm_validity_in_days
  defp days_for_context("reset_password"), do: @reset_password_validity_in_days
  @doc """
  Checks if the token is valid and returns its underlying lookup query.
  The query returns the user token record.
  """
  def verify_change_email_token_query(token, context) do
    case Base.url_decode64(token, padding: false) do
      {:ok, decoded_token} ->
        hashed_token = :crypto.hash(@hash_algorithm, decoded_token)
        query =
          from token in token_and_context_query(hashed_token, context),
            where: token.inserted_at > ago(@change_email_validity_in_days, "day")
        {:ok, query}
      :error ->
        :error
    end
  end
  @doc """
  Returns the given token with the given context.
  """
  def token_and_context_query(token, context) do
    from Planner.Accounts.UserToken, where: [token: ^token, context: ^context]
  end
  @doc """
  Gets all tokens for the given user for the given contexts.
  """
  def user_and_contexts_query(user, :all) do
    from t in Planner.Accounts.UserToken, where: t.user_id == ^user.id
  end
  def user_and_contexts_query(user, [_ | _] = contexts) do
    from t in Planner.Accounts.UserToken, where: t.user_id == ^user.id and t.context in ^contexts
  end
 end
--- a/lib/planner_web/controllers/user_auth.ex
+++ b/lib/planner_web/controllers/user_auth.ex
@ -0,0 +1,149 @@
 defmodule PlannerWeb.UserAuth do
  import Plug.Conn
  import Phoenix.Controller
  alias Planner.Accounts
  alias PlannerWeb.Router.Helpers, as: Routes
  # Make the remember me cookie valid for 60 days.
  # If you want bump or reduce this value, also change
  # the token expiry itself in UserToken.
  @max_age 60 * 60 * 24 * 60
  @remember_me_cookie "user_remember_me"
  @remember_me_options [sign: true, max_age: @max_age]
  @doc """
  Logs the user in.
  It renews the session ID and clears the whole session
  to avoid fixation attacks. See the renew_session
  function to customize this behaviour.
  It also sets a `:live_socket_id` key in the session,
  so LiveView sessions are identified and automatically
  disconnected on logout. The line can be safely removed
  if you are not using LiveView.
  """
  def login_user(conn, user, params \\ %{}) do
    token = Accounts.generate_user_session_token(user)
    user_return_to = get_session(conn, :user_return_to)
    conn
    |> renew_session()
    |> put_session(:user_token, token)
    |> put_session(:live_socket_id, "users_sessions:#{Base.url_encode64(token)}")
    |> maybe_write_remember_me_cookie(token, params)
    |> redirect(to: user_return_to || signed_in_path(conn))
  end
  defp maybe_write_remember_me_cookie(conn, token, %{"remember_me" => "true"}) do
    put_resp_cookie(conn, @remember_me_cookie, token, @remember_me_options)
  end
  defp maybe_write_remember_me_cookie(conn, _token, _params) do
    conn
  end
  # This function renews the session ID and erases the whole
  # session to avoid fixation attacks. If there is any data
  # in the session you may want to preserve after login/logout,
  # you must explicitly fetch the session data before clearing
  # and then immediately set it after clearing, for example:
  #
  #     defp renew_session(conn) do
  #       preferred_locale = get_session(conn, :preferred_locale)
  #
  #       conn
  #       |> configure_session(renew: true)
  #       |> clear_session()
  #       |> put_session(:preferred_locale, preferred_locale)
  #     end
  #
  defp renew_session(conn) do
    conn
    |> configure_session(renew: true)
    |> clear_session()
  end
  @doc """
  Logs the user out.
  It clears all session data for safety. See renew_session.
  """
  def logout_user(conn) do
    user_token = get_session(conn, :user_token)
    user_token && Accounts.delete_session_token(user_token)
    if live_socket_id = get_session(conn, :live_socket_id) do
      PlannerWeb.Endpoint.broadcast(live_socket_id, "disconnect", %{})
    end
    conn
    |> renew_session()
    |> delete_resp_cookie(@remember_me_cookie)
    |> redirect(to: "/")
  end
  @doc """
  Authenticates the user by looking into the session
  and remember me token.
  """
  def fetch_current_user(conn, _opts) do
    {user_token, conn} = ensure_user_token(conn)
    user = user_token && Accounts.get_user_by_session_token(user_token)
    assign(conn, :current_user, user)
  end
  defp ensure_user_token(conn) do
    if user_token = get_session(conn, :user_token) do
      {user_token, conn}
    else
      conn = fetch_cookies(conn, signed: [@remember_me_cookie])
      if user_token = conn.cookies[@remember_me_cookie] do
        {user_token, put_session(conn, :user_token, user_token)}
      else
        {nil, conn}
      end
    end
  end
  @doc """
  Used for routes that require the user to not be authenticated.
  """
  def redirect_if_user_is_authenticated(conn, _opts) do
    if conn.assigns[:current_user] do
      conn
      |> redirect(to: signed_in_path(conn))
      |> halt()
    else
      conn
    end
  end
  @doc """
  Used for routes that require the user to be authenticated.
  If you want to enforce the user e-mail is confirmed before
  they use the application at all, here would be a good place.
  """
  def require_authenticated_user(conn, _opts) do
    if conn.assigns[:current_user] do
      conn
    else
      conn
      |> put_flash(:error, "You must login to access this page.")
      |> maybe_store_return_to()
      |> redirect(to: Routes.user_session_path(conn, :new))
      |> halt()
    end
  end
  defp maybe_store_return_to(%{method: "GET", request_path: request_path} = conn) do
    put_session(conn, :user_return_to, request_path)
  end
  defp maybe_store_return_to(conn), do: conn
  defp signed_in_path(_conn), do: "/"
 end
--- a/lib/planner_web/controllers/user_reset_password_controller.ex
+++ b/lib/planner_web/controllers/user_reset_password_controller.ex
@ -0,0 +1,59 @@
 defmodule PlannerWeb.UserResetPasswordController do
  use PlannerWeb, :controller
  alias Planner.Accounts
  plug :get_user_by_reset_password_token when action in [:edit, :update]
  def new(conn, _params) do
    render(conn, "new.html")
  end
  def create(conn, %{"user" => %{"email" => email}}) do
    if user = Accounts.get_user_by_email(email) do
      Accounts.deliver_user_reset_password_instructions(
        user,
        &Routes.user_reset_password_url(conn, :edit, &1)
      )
    end
    # Regardless of the outcome, show an impartial success/error message.
    conn
    |> put_flash(
      :info,
      "If your e-mail is in our system, you will receive instructions to reset your password shortly."
    )
    |> redirect(to: "/")
  end
  def edit(conn, _params) do
    render(conn, "edit.html", changeset: Accounts.change_user_password(conn.assigns.user))
  end
  # Do not login the user after reset password to avoid a
  # leaked token giving the user access to the account.
  def update(conn, %{"user" => user_params}) do
    case Accounts.reset_user_password(conn.assigns.user, user_params) do
      {:ok, _} ->
        conn
        |> put_flash(:info, "Password reset successfully.")
        |> redirect(to: Routes.user_session_path(conn, :new))
      {:error, changeset} ->
        render(conn, "edit.html", changeset: changeset)
    end
  end
  defp get_user_by_reset_password_token(conn, _opts) do
    %{"token" => token} = conn.params
    if user = Accounts.get_user_by_reset_password_token(token) do
      conn |> assign(:user, user) |> assign(:token, token)
    else
      conn
      |> put_flash(:error, "Reset password link is invalid or it has expired.")
      |> redirect(to: "/")
      |> halt()
    end
  end
 end
--- a/lib/planner_web/controllers/user_session_controller.ex
+++ b/lib/planner_web/controllers/user_session_controller.ex
@ -0,0 +1,26 @@
 defmodule PlannerWeb.UserSessionController do
  use PlannerWeb, :controller
  alias Planner.Accounts
  alias PlannerWeb.UserAuth
  def new(conn, _params) do
    render(conn, "new.html", error_message: nil)
  end
  def create(conn, %{"user" => user_params}) do
    %{"email" => email, "password" => password} = user_params
    if user = Accounts.get_user_by_email_and_password(email, password) do
      UserAuth.login_user(conn, user, user_params)
    else
      render(conn, "new.html", error_message: "Invalid e-mail or password")
    end
  end
  def delete(conn, _params) do
    conn
    |> put_flash(:info, "Logged out successfully.")
    |> UserAuth.logout_user()
  end
 end
--- a/lib/planner_web/controllers/user_settings_controller.ex
+++ b/lib/planner_web/controllers/user_settings_controller.ex
@ -0,0 +1,72 @@
 defmodule PlannerWeb.UserSettingsController do
  use PlannerWeb, :controller
  alias Planner.Accounts
  alias PlannerWeb.UserAuth
  plug :assign_email_and_password_changesets
  def edit(conn, _params) do
    render(conn, "edit.html")
  end
  def update_email(conn, %{"current_password" => password, "user" => user_params}) do
    user = conn.assigns.current_user
    case Accounts.apply_user_email(user, password, user_params) do
      {:ok, applied_user} ->
        Accounts.deliver_update_email_instructions(
          applied_user,
          user.email,
          &Routes.user_settings_url(conn, :confirm_email, &1)
        )
        conn
        |> put_flash(
          :info,
          "A link to confirm your e-mail change has been sent to the new address."
        )
        |> redirect(to: Routes.user_settings_path(conn, :edit))
      {:error, changeset} ->
        render(conn, "edit.html", email_changeset: changeset)
    end
  end
  def confirm_email(conn, %{"token" => token}) do
    case Accounts.update_user_email(conn.assigns.current_user, token) do
      :ok ->
        conn
        |> put_flash(:info, "E-mail changed successfully.")
        |> redirect(to: Routes.user_settings_path(conn, :edit))
      :error ->
        conn
        |> put_flash(:error, "Email change link is invalid or it has expired.")
        |> redirect(to: Routes.user_settings_path(conn, :edit))
    end
  end
  def update_password(conn, %{"current_password" => password, "user" => user_params}) do
    user = conn.assigns.current_user
    case Accounts.update_user_password(user, password, user_params) do
      {:ok, user} ->
        conn
        |> put_flash(:info, "Password updated successfully.")
        |> put_session(:user_return_to, Routes.user_settings_path(conn, :edit))
        |> UserAuth.login_user(user)
      {:error, changeset} ->
        render(conn, "edit.html", password_changeset: changeset)
    end
  end
  defp assign_email_and_password_changesets(conn, _opts) do
    user = conn.assigns.current_user
    conn
    |> assign(:email_changeset, Accounts.change_user_email(user))
    |> assign(:password_changeset, Accounts.change_user_password(user))
  end
 end
--- a/lib/planner_web/router.ex
+++ b/lib/planner_web/router.ex
@ -1,22 +1,19 @@
 defmodule PlannerWeb.Router do
  use PlannerWeb, :router
  import PlannerWeb.UserAuth
  pipeline :browser do
-    plug :accepts, ["html"]
+    plug(:accepts, ["html"])
-    plug :fetch_session
+    plug(:fetch_session)
-    plug :fetch_flash
+    plug(:fetch_flash)
-    plug :protect_from_forgery
+    plug(:protect_from_forgery)
-    plug :put_secure_browser_headers
+    plug(:put_secure_browser_headers)
    plug(:fetch_current_user)
  end
  pipeline :api do
-    plug :accepts, ["json"]
+    plug(:accepts, ["json"])
  end
  scope "/", PlannerWeb do
    pipe_through :browser
    get "/", PageController, :index
  end
  # Other scopes may use custom stacks.
@ -35,8 +32,36 @@ defmodule PlannerWeb.Router do
    import Phoenix.LiveDashboard.Router
    scope "/" do
-      pipe_through :browser
+      pipe_through(:browser)
-      live_dashboard "/dashboard", metrics: PlannerWeb.Telemetry
+      live_dashboard("/dashboard", metrics: PlannerWeb.Telemetry)
    end
  end
  scope "/", PlannerWeb do
    pipe_through([:browser, :redirect_if_user_is_authenticated])
    get("/users/login", UserSessionController, :new)
    post("/users/login", UserSessionController, :create)
    get("/users/reset_password", UserResetPasswordController, :new)
    post("/users/reset_password", UserResetPasswordController, :create)
    get("/users/reset_password/:token", UserResetPasswordController, :edit)
    put("/users/reset_password/:token", UserResetPasswordController, :update)
  end
  scope "/", PlannerWeb do
    pipe_through([:browser, :require_authenticated_user])
    get("/", PageController, :index)
    get("/users/settings", UserSettingsController, :edit)
    put("/users/settings/update_password", UserSettingsController, :update_password)
    put("/users/settings/update_email", UserSettingsController, :update_email)
    get("/users/settings/confirm_email/:token", UserSettingsController, :confirm_email)
  end
  scope "/", PlannerWeb do
    pipe_through([:browser])
    delete("/users/logout", UserSessionController, :delete)
  end
 end
--- a/lib/planner_web/templates/layout/app.html.eex
+++ b/lib/planner_web/templates/layout/app.html.eex
@ -9,21 +9,16 @@
    <script defer type="text/javascript" src="<%= Routes.static_path(@conn, "/js/app.js") %>"></script>
  </head>
  <body>
    <header>
      <section class="container">
        <nav role="navigation">
    <ul>
-            <li><a href="https://hexdocs.pm/phoenix/overview.html">Get Started</a></li>
+    <%= if @current_user do %>
-            <%= if function_exported?(Routes, :live_dashboard_path, 2) do %>
+      <li><%= @current_user.email %></li>
-              <li><%= link "LiveDashboard", to: Routes.live_dashboard_path(@conn, :home) %></li>
+      <li><%= link "Settings", to: Routes.user_settings_path(@conn, :edit) %></li>
      <li><%= link "Logout", to: Routes.user_session_path(@conn, :delete), method: :delete %></li>
    <% else %>
      <li><%= link "Login", to: Routes.user_session_path(@conn, :new) %></li>
    <% end %>
    </ul>
-        </nav>
+
        <a href="https://phoenixframework.org/" class="phx-logo">
          <img src="<%= Routes.static_path(@conn, "/images/phoenix.png") %>" alt="Phoenix Framework Logo"/>
        </a>
      </section>
    </header>
    <main role="main" class="container">
      <p class="alert alert-info" role="alert"><%= get_flash(@conn, :info) %></p>
      <p class="alert alert-danger" role="alert"><%= get_flash(@conn, :error) %></p>
--- a/lib/planner_web/templates/page/index.html.eex
+++ b/lib/planner_web/templates/page/index.html.eex
@ -1,38 +1 @@
-<section class="phx-hero">
+<h1>Planner</h1>
  <h1><%= gettext "Welcome to %{name}!", name: "Phoenix" %></h1>
  <p>Peace-of-mind from prototype to production</p>
 </section>
 <section class="row">
  <article class="column">
    <h2>Resources</h2>
    <ul>
      <li>
        <a href="https://hexdocs.pm/phoenix/overview.html">Guides &amp; Docs</a>
      </li>
      <li>
        <a href="https://github.com/phoenixframework/phoenix">Source</a>
      </li>
      <li>
        <a href="https://github.com/phoenixframework/phoenix/blob/v1.5/CHANGELOG.md">v1.5 Changelog</a>
      </li>
    </ul>
  </article>
  <article class="column">
    <h2>Help</h2>
    <ul>
      <li>
        <a href="https://elixirforum.com/c/phoenix-forum">Forum</a>
      </li>
      <li>
        <a href="https://webchat.freenode.net/?channels=elixir-lang">#elixir-lang on Freenode IRC</a>
      </li>
      <li>
        <a href="https://twitter.com/elixirphoenix">Twitter @elixirphoenix</a>
      </li>
      <li>
        <a href="https://elixir-slackin.herokuapp.com/">Elixir on Slack</a>
      </li>
    </ul>
  </article>
 </section>
--- a/lib/planner_web/templates/user_reset_password/edit.html.eex
+++ b/lib/planner_web/templates/user_reset_password/edit.html.eex
@ -0,0 +1,25 @@
 <h1>Reset password</h1>
 <%= form_for @changeset, Routes.user_reset_password_path(@conn, :update, @token), fn f -> %>
  <%= if @changeset.action do %>
    <div class="alert alert-danger">
      <p>Oops, something went wrong! Please check the errors below.</p>
    </div>
  <% end %>
  <%= label f, :password, "New password" %>
  <%= password_input f, :password, required: true %>
  <%= error_tag f, :password %>
  <%= label f, :password_confirmation, "Confirm new password" %>
  <%= password_input f, :password_confirmation, required: true %>
  <%= error_tag f, :password_confirmation %>
  <div>
    <%= submit "Reset password" %>
  </div>
 <% end %>
 <p>
  <%= link "Login", to: Routes.user_session_path(@conn, :new) %>
 </p>
--- a/lib/planner_web/templates/user_reset_password/new.html.eex
+++ b/lib/planner_web/templates/user_reset_password/new.html.eex
@ -0,0 +1,14 @@
 <h1>Forgot your password?</h1>
 <%= form_for :user, Routes.user_reset_password_path(@conn, :create), fn f -> %>
  <%= label f, :email %>
  <%= text_input f, :email, required: true %>
  <div>
    <%= submit "Send instructions to reset password" %>
  </div>
 <% end %>
 <p>
  <%= link "Login", to: Routes.user_session_path(@conn, :new) %>
 </p>
--- a/lib/planner_web/templates/user_session/new.html.eex
+++ b/lib/planner_web/templates/user_session/new.html.eex
@ -0,0 +1,26 @@
 <h1>Login</h1>
 <%= form_for @conn, Routes.user_session_path(@conn, :create), [as: :user], fn f -> %>
  <%= if @error_message do %>
    <div class="alert alert-danger">
      <p><%= @error_message %></p>
    </div>
  <% end %>
  <%= label f, :email %>
  <%= text_input f, :email, required: true %>
  <%= label f, :password %>
  <%= password_input f, :password, required: true %>
  <%= label f, :remember_me, "Keep me logged in for 60 days" %>
  <%= checkbox f, :remember_me %>
  <div>
    <%= submit "Login" %>
  </div>
 <% end %>
 <p>
  <%= link "Forgot your password?", to: Routes.user_reset_password_path(@conn, :new) %>
 </p>
--- a/lib/planner_web/templates/user_settings/edit.html.eex
+++ b/lib/planner_web/templates/user_settings/edit.html.eex
@ -0,0 +1,49 @@
 <h1>Settings</h1>
 <h3>Change e-mail</h3>
 <%= form_for @email_changeset, Routes.user_settings_path(@conn, :update_email), fn f -> %>
  <%= if @email_changeset.action do %>
    <div class="alert alert-danger">
      <p>Oops, something went wrong! Please check the errors below.</p>
    </div>
  <% end %>
  <%= label f, :email %>
  <%= text_input f, :email, required: true %>
  <%= error_tag f, :email %>
  <%= label f, :current_password, for: "current_password_for_email" %>
  <%= password_input f, :current_password, required: true, name: "current_password", id: "current_password_for_email" %>
  <%= error_tag f, :current_password %>
  <div>
    <%= submit "Change e-mail" %>
  </div>
 <% end %>
 <h3>Change password</h3>
 <%= form_for @password_changeset, Routes.user_settings_path(@conn, :update_password), fn f -> %>
  <%= if @password_changeset.action do %>
    <div class="alert alert-danger">
      <p>Oops, something went wrong! Please check the errors below.</p>
    </div>
  <% end %>
  <%= label f, :password, "New password" %>
  <%= password_input f, :password, required: true %>
  <%= error_tag f, :password %>
  <%= label f, :password_confirmation, "Confirm new password" %>
  <%= password_input f, :password_confirmation, required: true %>
  <%= error_tag f, :password_confirmation %>
  <%= label f, :current_password, for: "current_password_for_password" %>
  <%= password_input f, :current_password, required: true, name: "current_password", id: "current_password_for_password" %>
  <%= error_tag f, :current_password %>
  <div>
    <%= submit "Change password" %>
  </div>
 <% end %>
--- a/lib/planner_web/views/user_confirmation_view.ex
+++ b/lib/planner_web/views/user_confirmation_view.ex
@ -0,0 +1,3 @@
 defmodule PlannerWeb.UserConfirmationView do
  use PlannerWeb, :view
 end
--- a/lib/planner_web/views/user_registration_view.ex
+++ b/lib/planner_web/views/user_registration_view.ex
@ -0,0 +1,3 @@
 defmodule PlannerWeb.UserRegistrationView do
  use PlannerWeb, :view
 end
--- a/lib/planner_web/views/user_reset_password_view.ex
+++ b/lib/planner_web/views/user_reset_password_view.ex
@ -0,0 +1,3 @@
 defmodule PlannerWeb.UserResetPasswordView do
  use PlannerWeb, :view
 end
--- a/lib/planner_web/views/user_session_view.ex
+++ b/lib/planner_web/views/user_session_view.ex
@ -0,0 +1,3 @@
 defmodule PlannerWeb.UserSessionView do
  use PlannerWeb, :view
 end
--- a/lib/planner_web/views/user_settings_view.ex
+++ b/lib/planner_web/views/user_settings_view.ex
@ -0,0 +1,3 @@
 defmodule PlannerWeb.UserSettingsView do
  use PlannerWeb, :view
 end
--- a/mix.exs
+++ b/mix.exs
@ -33,6 +33,7 @@ defmodule Planner.MixProject do
  # Type `mix help deps` for examples and options.
  defp deps do
    [
      {:bcrypt_elixir, "~> 2.0"},
      {:phoenix, "~> 1.5.1"},
      {:phoenix_ecto, "~> 4.1"},
      {:ecto_sql, "~> 3.4"},
@ -40,6 +41,7 @@ defmodule Planner.MixProject do
      {:phoenix_html, "~> 2.11"},
      {:phoenix_live_reload, "~> 1.2", only: :dev},
      {:phoenix_live_dashboard, "~> 0.2.0"},
      {:phx_gen_auth, "~> 0.3.0", only: [:dev], runtime: false},
      {:telemetry_metrics, "~> 0.4"},
      {:telemetry_poller, "~> 0.4"},
      {:gettext, "~> 0.11"},
--- a/mix.lock
+++ b/mix.lock
@ -1,4 +1,6 @@
 %{
  "bcrypt_elixir": {:hex, :bcrypt_elixir, "2.2.0", "3df902b81ce7fa8867a2ae30d20a1da6877a2c056bfb116fd0bc8a5f0190cea4", [:make, :mix], [{:comeonin, "~> 5.3", [hex: :comeonin, repo: "hexpm", optional: false]}, {:elixir_make, "~> 0.6", [hex: :elixir_make, repo: "hexpm", optional: false]}], "hexpm", "762be3fcb779f08207531bc6612cca480a338e4b4357abb49f5ce00240a77d1e"},
  "comeonin": {:hex, :comeonin, "5.3.1", "7fe612b739c78c9c1a75186ef2d322ce4d25032d119823269d0aa1e2f1e20025", [:mix], [], "hexpm", "d6222483060c17f0977fad1b7401ef0c5863c985a64352755f366aee3799c245"},
  "connection": {:hex, :connection, "1.0.4", "a1cae72211f0eef17705aaededacac3eb30e6625b04a6117c1b2db6ace7d5976", [:mix], [], "hexpm", "4a0850c9be22a43af9920a71ab17c051f5f7d45c209e40269a1938832510e4d9"},
  "cowboy": {:hex, :cowboy, "2.8.0", "f3dc62e35797ecd9ac1b50db74611193c29815401e53bac9a5c0577bd7bc667d", [:rebar3], [{:cowlib, "~> 2.9.1", [hex: :cowlib, repo: "hexpm", optional: false]}, {:ranch, "~> 1.7.1", [hex: :ranch, repo: "hexpm", optional: false]}], "hexpm", "4643e4fba74ac96d4d152c75803de6fad0b3fa5df354c71afdd6cbeeb15fac8a"},
  "cowlib": {:hex, :cowlib, "2.9.1", "61a6c7c50cf07fdd24b2f45b89500bb93b6686579b069a89f88cb211e1125c78", [:rebar3], [], "hexpm", "e4175dc240a70d996156160891e1c62238ede1729e45740bdd38064dad476170"},
@ -6,6 +8,7 @@
  "decimal": {:hex, :decimal, "1.8.1", "a4ef3f5f3428bdbc0d35374029ffcf4ede8533536fa79896dd450168d9acdf3c", [:mix], [], "hexpm", "3cb154b00225ac687f6cbd4acc4b7960027c757a5152b369923ead9ddbca7aec"},
  "ecto": {:hex, :ecto, "3.4.4", "a2c881e80dc756d648197ae0d936216c0308370332c5e77a2325a10293eef845", [:mix], [{:decimal, "~> 1.6 or ~> 2.0", [hex: :decimal, repo: "hexpm", optional: false]}, {:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: true]}, {:telemetry, "~> 0.4", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "cc4bd3ad62abc3b21fb629f0f7a3dab23a192fca837d257dd08449fba7373561"},
  "ecto_sql": {:hex, :ecto_sql, "3.4.4", "d28bac2d420f708993baed522054870086fd45016a9d09bb2cd521b9c48d32ea", [:mix], [{:db_connection, "~> 2.2", [hex: :db_connection, repo: "hexpm", optional: false]}, {:ecto, "~> 3.4.3", [hex: :ecto, repo: "hexpm", optional: false]}, {:myxql, "~> 0.3.0 or ~> 0.4.0", [hex: :myxql, repo: "hexpm", optional: true]}, {:postgrex, "~> 0.15.0", [hex: :postgrex, repo: "hexpm", optional: true]}, {:tds, "~> 2.1.0", [hex: :tds, repo: "hexpm", optional: true]}, {:telemetry, "~> 0.4.0", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "edb49af715dd72f213b66adfd0f668a43c17ed510b5d9ac7528569b23af57fe8"},
  "elixir_make": {:hex, :elixir_make, "0.6.0", "38349f3e29aff4864352084fc736fa7fa0f2995a819a737554f7ebd28b85aaab", [:mix], [], "hexpm", "d522695b93b7f0b4c0fcb2dfe73a6b905b1c301226a5a55cb42e5b14d509e050"},
  "file_system": {:hex, :file_system, "0.2.8", "f632bd287927a1eed2b718f22af727c5aeaccc9a98d8c2bd7bff709e851dc986", [:mix], [], "hexpm", "97a3b6f8d63ef53bd0113070102db2ce05352ecf0d25390eb8d747c2bde98bca"},
  "gettext": {:hex, :gettext, "0.18.0", "406d6b9e0e3278162c2ae1de0a60270452c553536772167e2d701f028116f870", [:mix], [], "hexpm", "c3f850be6367ebe1a08616c2158affe4a23231c70391050bf359d5f92f66a571"},
  "jason": {:hex, :jason, "1.2.1", "12b22825e22f468c02eb3e4b9985f3d0cb8dc40b9bd704730efa11abd2708c44", [:mix], [{:decimal, "~> 1.0", [hex: :decimal, repo: "hexpm", optional: true]}], "hexpm", "b659b8571deedf60f79c5a608e15414085fa141344e2716fbd6988a084b5f993"},
@ -17,6 +20,7 @@
  "phoenix_live_reload": {:hex, :phoenix_live_reload, "1.2.4", "940c0344b1d66a2e46eef02af3a70e0c5bb45a4db0bf47917add271b76cd3914", [:mix], [{:file_system, "~> 0.2.1 or ~> 0.3", [hex: :file_system, repo: "hexpm", optional: false]}, {:phoenix, "~> 1.4", [hex: :phoenix, repo: "hexpm", optional: false]}], "hexpm", "38f9308357dea4cc77f247e216da99fcb0224e05ada1469167520bed4cb8cccd"},
  "phoenix_live_view": {:hex, :phoenix_live_view, "0.13.3", "2186c55cc7c54ca45b97c6f28cfd267d1c61b5f205f3c83533704cd991bdfdec", [:mix], [{:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: true]}, {:phoenix, "~> 1.4.17 or ~> 1.5.2", [hex: :phoenix, repo: "hexpm", optional: false]}, {:phoenix_html, "~> 2.14", [hex: :phoenix_html, repo: "hexpm", optional: false]}], "hexpm", "c6309a7da2e779cb9cdf2fb603d75f38f49ef324bedc7a81825998bd1744ff8a"},
  "phoenix_pubsub": {:hex, :phoenix_pubsub, "2.0.0", "a1ae76717bb168cdeb10ec9d92d1480fec99e3080f011402c0a2d68d47395ffb", [:mix], [], "hexpm", "c52d948c4f261577b9c6fa804be91884b381a7f8f18450c5045975435350f771"},
  "phx_gen_auth": {:hex, :phx_gen_auth, "0.3.0", "3d1f1943d7f6ecccec9a540422eec2b764d89a866e77367bc100f07f625091ef", [:mix], [{:phoenix, "~> 1.5.2", [hex: :phoenix, repo: "hexpm", optional: false]}], "hexpm", "98d5a0a8fc34fed40c6ea9db4f57ebad6c1c50cdc0ba3aa8bc4716a5e8285990"},
  "plug": {:hex, :plug, "1.10.3", "c9cebe917637d8db0e759039cc106adca069874e1a9034fd6e3fdd427fd3c283", [:mix], [{:mime, "~> 1.0", [hex: :mime, repo: "hexpm", optional: false]}, {:plug_crypto, "~> 1.1.1 or ~> 1.2", [hex: :plug_crypto, repo: "hexpm", optional: false]}, {:telemetry, "~> 0.4", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "01f9037a2a1de1d633b5a881101e6a444bcabb1d386ca1e00bb273a1f1d9d939"},
  "plug_cowboy": {:hex, :plug_cowboy, "2.3.0", "149a50e05cb73c12aad6506a371cd75750c0b19a32f81866e1a323dda9e0e99d", [:mix], [{:cowboy, "~> 2.7", [hex: :cowboy, repo: "hexpm", optional: false]}, {:plug, "~> 1.7", [hex: :plug, repo: "hexpm", optional: false]}, {:telemetry, "~> 0.4", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "bc595a1870cef13f9c1e03df56d96804db7f702175e4ccacdb8fc75c02a7b97e"},
  "plug_crypto": {:hex, :plug_crypto, "1.1.2", "bdd187572cc26dbd95b87136290425f2b580a116d3fb1f564216918c9730d227", [:mix], [], "hexpm", "6b8b608f895b6ffcfad49c37c7883e8df98ae19c6a28113b02aa1e9c5b22d6b5"},
--- a/priv/repo/migrations/20200613231040_create_users_auth_tables.exs
+++ b/priv/repo/migrations/20200613231040_create_users_auth_tables.exs
@ -0,0 +1,27 @@
 defmodule Planner.Repo.Migrations.CreateUsersAuthTables do
  use Ecto.Migration
  def change do
    execute "CREATE EXTENSION IF NOT EXISTS citext", ""
    create table(:users) do
      add :email, :citext, null: false
      add :hashed_password, :string, null: false
      add :confirmed_at, :naive_datetime
      timestamps()
    end
    create unique_index(:users, [:email])
    create table(:users_tokens) do
      add :user_id, references(:users, on_delete: :delete_all), null: false
      add :token, :binary, null: false
      add :context, :string, null: false
      add :sent_to, :string
      timestamps(updated_at: false)
    end
    create index(:users_tokens, [:user_id])
    create unique_index(:users_tokens, [:context, :token])
  end
 end
--- a/test/planner/accounts_test.exs
+++ b/test/planner/accounts_test.exs
@ -0,0 +1,429 @@
 defmodule Planner.AccountsTest do
  use Planner.DataCase
  alias Planner.Accounts
  import Planner.AccountsFixtures
  alias Planner.Accounts.{User, UserToken}
  describe "get_user_by_email/1" do
    test "does not return the user if the email does not exist" do
      refute Accounts.get_user_by_email("unknown@example.com")
    end
    test "returns the user if the email exists" do
      %{id: id} = user = user_fixture()
      assert %User{id: ^id} = Accounts.get_user_by_email(user.email)
    end
  end
  describe "get_user_by_email_and_password/1" do
    test "does not return the user if the email does not exist" do
      refute Accounts.get_user_by_email_and_password("unknown@example.com", "hello world!")
    end
    test "does not return the user if the password is not valid" do
      user = user_fixture()
      refute Accounts.get_user_by_email_and_password(user.email, "invalid")
    end
    test "returns the user if the email and password are valid" do
      %{id: id} = user = user_fixture()
      assert %User{id: ^id} =
               Accounts.get_user_by_email_and_password(user.email, valid_user_password())
    end
  end
  describe "get_user!/1" do
    test "raises if id is invalid" do
      assert_raise Ecto.NoResultsError, fn ->
        Accounts.get_user!(-1)
      end
    end
    test "returns the user with the given id" do
      %{id: id} = user = user_fixture()
      assert %User{id: ^id} = Accounts.get_user!(user.id)
    end
  end
  describe "register_user/1" do
    test "requires email and password to be set" do
      {:error, changeset} = Accounts.register_user(%{})
      assert %{
               password: ["can't be blank"],
               email: ["can't be blank"]
             } = errors_on(changeset)
    end
    test "validates email and password when given" do
      {:error, changeset} = Accounts.register_user(%{email: "not valid", password: "nt vld"})
      assert %{
               email: ["must have the @ sign and no spaces"],
               password: ["should be at least 8 character(s)"]
             } = errors_on(changeset)
    end
    test "validates maximum values for e-mail and password for security" do
      too_long = String.duplicate("db", 100)
      {:error, changeset} = Accounts.register_user(%{email: too_long, password: too_long})
      assert "should be at most 160 character(s)" in errors_on(changeset).email
      assert "should be at most 80 character(s)" in errors_on(changeset).password
    end
    test "validates e-mail uniqueness" do
      %{email: email} = user_fixture()
      {:error, changeset} = Accounts.register_user(%{email: email})
      assert "has already been taken" in errors_on(changeset).email
      # Now try with the upper cased e-mail too, to check that email case is ignored.
      {:error, changeset} = Accounts.register_user(%{email: String.upcase(email)})
      assert "has already been taken" in errors_on(changeset).email
    end
    test "registers users with a hashed password" do
      email = unique_user_email()
      {:ok, user} = Accounts.register_user(%{email: email, password: valid_user_password()})
      assert user.email == email
      assert is_binary(user.hashed_password)
      # assert is_nil(user.confirmed_at)
      assert is_nil(user.password)
    end
  end
  describe "change_user_email/2" do
    test "returns a user changeset" do
      assert %Ecto.Changeset{} = changeset = Accounts.change_user_email(%User{})
      assert changeset.required == [:email]
    end
  end
  describe "apply_user_email/3" do
    setup do
      %{user: user_fixture()}
    end
    test "requires email to change", %{user: user} do
      {:error, changeset} = Accounts.apply_user_email(user, valid_user_password(), %{})
      assert %{email: ["did not change"]} = errors_on(changeset)
    end
    test "validates email", %{user: user} do
      {:error, changeset} =
        Accounts.apply_user_email(user, valid_user_password(), %{email: "not valid"})
      assert %{email: ["must have the @ sign and no spaces"]} = errors_on(changeset)
    end
    test "validates maximum value for e-mail for security", %{user: user} do
      too_long = String.duplicate("db", 100)
      {:error, changeset} =
        Accounts.apply_user_email(user, valid_user_password(), %{email: too_long})
      assert "should be at most 160 character(s)" in errors_on(changeset).email
    end
    test "validates e-mail uniqueness", %{user: user} do
      %{email: email} = user_fixture()
      {:error, changeset} =
        Accounts.apply_user_email(user, valid_user_password(), %{email: email})
      assert "has already been taken" in errors_on(changeset).email
    end
    test "validates current password", %{user: user} do
      {:error, changeset} =
        Accounts.apply_user_email(user, "invalid", %{email: unique_user_email()})
      assert %{current_password: ["is not valid"]} = errors_on(changeset)
    end
    test "applies the e-mail without persisting it", %{user: user} do
      email = unique_user_email()
      {:ok, user} = Accounts.apply_user_email(user, valid_user_password(), %{email: email})
      assert user.email == email
      assert Accounts.get_user!(user.id).email != email
    end
  end
  describe "deliver_update_email_instructions/3" do
    setup do
      %{user: user_fixture()}
    end
    test "sends token through notification", %{user: user} do
      token =
        extract_user_token(fn url ->
          Accounts.deliver_update_email_instructions(user, "current@example.com", url)
        end)
      {:ok, token} = Base.url_decode64(token, padding: false)
      assert user_token = Repo.get_by(UserToken, token: :crypto.hash(:sha256, token))
      assert user_token.user_id == user.id
      assert user_token.sent_to == user.email
      assert user_token.context == "change:current@example.com"
    end
  end
  describe "update_user_email/2" do
    setup do
      user = user_fixture()
      email = unique_user_email()
      token =
        extract_user_token(fn url ->
          Accounts.deliver_update_email_instructions(%{user | email: email}, user.email, url)
        end)
      %{user: user, token: token, email: email}
    end
    test "does not update e-mail with invalid token", %{user: user} do
      assert Accounts.update_user_email(user, "oops") == :error
      assert Repo.get!(User, user.id).email == user.email
      assert Repo.get_by(UserToken, user_id: user.id)
    end
    test "does not update e-mail if user e-mail changed", %{user: user, token: token} do
      assert Accounts.update_user_email(%{user | email: "current@example.com"}, token) == :error
      assert Repo.get!(User, user.id).email == user.email
      assert Repo.get_by(UserToken, user_id: user.id)
    end
    test "does not update e-mail if token expired", %{user: user, token: token} do
      {1, nil} = Repo.update_all(UserToken, set: [inserted_at: ~N[2020-01-01 00:00:00]])
      assert Accounts.update_user_email(user, token) == :error
      assert Repo.get!(User, user.id).email == user.email
      assert Repo.get_by(UserToken, user_id: user.id)
    end
  end
  describe "change_user_password/2" do
    test "returns a user changeset" do
      assert %Ecto.Changeset{} = changeset = Accounts.change_user_password(%User{})
      assert changeset.required == [:password]
    end
  end
  describe "update_user_password/3" do
    setup do
      %{user: user_fixture()}
    end
    test "validates password", %{user: user} do
      {:error, changeset} =
        Accounts.update_user_password(user, valid_user_password(), %{
          password: "nt vld",
          password_confirmation: "another"
        })
      assert %{
               password: ["should be at least 8 character(s)"],
               password_confirmation: ["does not match password"]
             } = errors_on(changeset)
    end
    test "validates maximum values for password for security", %{user: user} do
      too_long = String.duplicate("db", 100)
      {:error, changeset} =
        Accounts.update_user_password(user, valid_user_password(), %{password: too_long})
      assert "should be at most 80 character(s)" in errors_on(changeset).password
    end
    test "validates current password", %{user: user} do
      {:error, changeset} =
        Accounts.update_user_password(user, "invalid", %{password: valid_user_password()})
      assert %{current_password: ["is not valid"]} = errors_on(changeset)
    end
    test "updates the password", %{user: user} do
      {:ok, user} =
        Accounts.update_user_password(user, valid_user_password(), %{
          password: "new valid password"
        })
      assert is_nil(user.password)
      assert Accounts.get_user_by_email_and_password(user.email, "new valid password")
    end
    test "deletes all tokens for the given user", %{user: user} do
      _ = Accounts.generate_user_session_token(user)
      {:ok, _} =
        Accounts.update_user_password(user, valid_user_password(), %{
          password: "new valid password"
        })
      refute Repo.get_by(UserToken, user_id: user.id)
    end
  end
  describe "generate_user_session_token/1" do
    setup do
      %{user: user_fixture()}
    end
    test "generates a token", %{user: user} do
      token = Accounts.generate_user_session_token(user)
      assert user_token = Repo.get_by(UserToken, token: token)
      assert user_token.context == "session"
      # Creating the same token for another user should fail
      assert_raise Ecto.ConstraintError, fn ->
        Repo.insert!(%UserToken{
          token: user_token.token,
          user_id: user_fixture().id,
          context: "session"
        })
      end
    end
  end
  describe "get_user_by_session_token/1" do
    setup do
      user = user_fixture()
      token = Accounts.generate_user_session_token(user)
      %{user: user, token: token}
    end
    test "returns user by token", %{user: user, token: token} do
      assert session_user = Accounts.get_user_by_session_token(token)
      assert session_user.id == user.id
    end
    test "does not return user for invalid token" do
      refute Accounts.get_user_by_session_token("oops")
    end
    test "does not return user for expired token", %{token: token} do
      {1, nil} = Repo.update_all(UserToken, set: [inserted_at: ~N[2020-01-01 00:00:00]])
      refute Accounts.get_user_by_session_token(token)
    end
  end
  describe "delete_session_token/1" do
    test "deletes the token" do
      user = user_fixture()
      token = Accounts.generate_user_session_token(user)
      assert Accounts.delete_session_token(token) == :ok
      refute Accounts.get_user_by_session_token(token)
    end
  end
  describe "deliver_user_confirmation_instructions/2" do
    setup do
      %{user: user_fixture()}
    end
  end
  describe "confirm_user/2" do
    setup do
      user = user_fixture()
      token =
        extract_user_token(fn url ->
          Accounts.deliver_user_confirmation_instructions(user, url)
        end)
      %{user: user, token: token}
    end
  end
  describe "deliver_user_reset_password_instructions/2" do
    setup do
      %{user: user_fixture()}
    end
    test "sends token through notification", %{user: user} do
      token =
        extract_user_token(fn url ->
          Accounts.deliver_user_reset_password_instructions(user, url)
        end)
      {:ok, token} = Base.url_decode64(token, padding: false)
      assert user_token = Repo.get_by(UserToken, token: :crypto.hash(:sha256, token))
      assert user_token.user_id == user.id
      assert user_token.sent_to == user.email
      assert user_token.context == "reset_password"
    end
  end
  describe "get_user_by_reset_password_token/2" do
    setup do
      user = user_fixture()
      token =
        extract_user_token(fn url ->
          Accounts.deliver_user_reset_password_instructions(user, url)
        end)
      %{user: user, token: token}
    end
    test "returns the user with valid token", %{user: %{id: id}, token: token} do
      assert %User{id: ^id} = Accounts.get_user_by_reset_password_token(token)
      assert Repo.get_by(UserToken, user_id: id)
    end
    test "does not return the user with invalid token", %{user: user} do
      refute Accounts.get_user_by_reset_password_token("oops")
      assert Repo.get_by(UserToken, user_id: user.id)
    end
    test "does not return the user if token expired", %{user: user, token: token} do
      {1, nil} = Repo.update_all(UserToken, set: [inserted_at: ~N[2020-01-01 00:00:00]])
      refute Accounts.get_user_by_reset_password_token(token)
      assert Repo.get_by(UserToken, user_id: user.id)
    end
  end
  describe "reset_user_password/3" do
    setup do
      %{user: user_fixture()}
    end
    test "validates password", %{user: user} do
      {:error, changeset} =
        Accounts.reset_user_password(user, %{
          password: "nt vld",
          password_confirmation: "another"
        })
      assert %{
               password: ["should be at least 8 character(s)"],
               password_confirmation: ["does not match password"]
             } = errors_on(changeset)
    end
    test "validates maximum values for password for security", %{user: user} do
      too_long = String.duplicate("db", 100)
      {:error, changeset} = Accounts.reset_user_password(user, %{password: too_long})
      assert "should be at most 80 character(s)" in errors_on(changeset).password
    end
    test "updates the password", %{user: user} do
      {:ok, updated_user} = Accounts.reset_user_password(user, %{password: "new valid password"})
      assert is_nil(updated_user.password)
      assert Accounts.get_user_by_email_and_password(user.email, "new valid password")
    end
    test "deletes all tokens for the given user", %{user: user} do
      _ = Accounts.generate_user_session_token(user)
      {:ok, _} = Accounts.reset_user_password(user, %{password: "new valid password"})
      refute Repo.get_by(UserToken, user_id: user.id)
    end
  end
  describe "inspect/2" do
    test "does not include password" do
      refute inspect(%User{password: "123456"}) =~ "password: \"123456\""
    end
  end
 end
--- a/test/planner_web/controllers/page_controller_test.exs
+++ b/test/planner_web/controllers/page_controller_test.exs
@ -1,8 +0,0 @@
 defmodule PlannerWeb.PageControllerTest do
  use PlannerWeb.ConnCase
  test "GET /", %{conn: conn} do
    conn = get(conn, "/")
    assert html_response(conn, 200) =~ "Welcome to Phoenix!"
  end
 end
--- a/test/support/conn_case.ex
+++ b/test/support/conn_case.ex
@ -40,4 +40,30 @@ defmodule PlannerWeb.ConnCase do
    {:ok, conn: Phoenix.ConnTest.build_conn()}
  end
  @doc """
  Setup helper that registers and logs in users.
      setup :register_and_login_user
  It stores an updated connection and a registered user in the
  test context.
  """
  def register_and_login_user(%{conn: conn}) do
    user = Planner.AccountsFixtures.user_fixture()
    %{conn: login_user(conn, user), user: user}
  end
  @doc """
  Logs the given `user` into the `conn`.
  It returns an updated `conn`.
  """
  def login_user(conn, user) do
    token = Planner.Accounts.generate_user_session_token(user)
    conn
    |> Phoenix.ConnTest.init_test_session(%{})
    |> Plug.Conn.put_session(:user_token, token)
  end
 end
--- a/test/support/fixtures/accounts_fixtures.ex
+++ b/test/support/fixtures/accounts_fixtures.ex
@ -0,0 +1,27 @@
 defmodule Planner.AccountsFixtures do
  @moduledoc """
  This module defines test helpers for creating
  entities via the `Planner.Accounts` context.
  """
  def unique_user_email, do: "user#{System.unique_integer()}@example.com"
  def valid_user_password, do: "hello world!"
  def user_fixture(attrs \\ %{}) do
    {:ok, user} =
      attrs
      |> Enum.into(%{
        email: unique_user_email(),
        password: valid_user_password()
      })
      |> Planner.Accounts.register_user()
    user
  end
  def extract_user_token(fun) do
    {:ok, captured} = fun.(&"[TOKEN]#{&1}[TOKEN]")
    [_, token, _] = String.split(captured.body, "[TOKEN]")
    token
  end
 end