Run phx.gen.auth generator for creating users

2020-09-12 21:07:02 -03:00 · 2020-09-12 21:07:02 -03:00 · c9b43ac9b1
commit c9b43ac9b1
parent 0812ed5175
37 changed files with 2476 additions and 0 deletions
--- a/test/real_estate/accounts_test.exs
+++ b/test/real_estate/accounts_test.exs
@ -0,0 +1,480 @@
+defmodule RealEstate.AccountsTest do
+  use RealEstate.DataCase
+
+  alias RealEstate.Accounts
+  import RealEstate.AccountsFixtures
+  alias RealEstate.Accounts.{User, UserToken}
+
+  describe "get_user_by_email/1" do
+    test "does not return the user if the email does not exist" do
+      refute Accounts.get_user_by_email("unknown@example.com")
+    end
+
+    test "returns the user if the email exists" do
+      %{id: id} = user = user_fixture()
+      assert %User{id: ^id} = Accounts.get_user_by_email(user.email)
+    end
+  end
+
+  describe "get_user_by_email_and_password/2" do
+    test "does not return the user if the email does not exist" do
+      refute Accounts.get_user_by_email_and_password("unknown@example.com", "hello world!")
+    end
+
+    test "does not return the user if the password is not valid" do
+      user = user_fixture()
+      refute Accounts.get_user_by_email_and_password(user.email, "invalid")
+    end
+
+    test "returns the user if the email and password are valid" do
+      %{id: id} = user = user_fixture()
+
+      assert %User{id: ^id} =
+               Accounts.get_user_by_email_and_password(user.email, valid_user_password())
+    end
+  end
+
+  describe "get_user!/1" do
+    test "raises if id is invalid" do
+      assert_raise Ecto.NoResultsError, fn ->
+        Accounts.get_user!(-1)
+      end
+    end
+
+    test "returns the user with the given id" do
+      %{id: id} = user = user_fixture()
+      assert %User{id: ^id} = Accounts.get_user!(user.id)
+    end
+  end
+
+  describe "register_user/1" do
+    test "requires email and password to be set" do
+      {:error, changeset} = Accounts.register_user(%{})
+
+      assert %{
+               password: ["can't be blank"],
+               email: ["can't be blank"]
+             } = errors_on(changeset)
+    end
+
+    test "validates email and password when given" do
+      {:error, changeset} = Accounts.register_user(%{email: "not valid", password: "not valid"})
+
+      assert %{
+               email: ["must have the @ sign and no spaces"],
+               password: ["should be at least 12 character(s)"]
+             } = errors_on(changeset)
+    end
+
+    test "validates maximum values for email and password for security" do
+      too_long = String.duplicate("db", 100)
+      {:error, changeset} = Accounts.register_user(%{email: too_long, password: too_long})
+      assert "should be at most 160 character(s)" in errors_on(changeset).email
+      assert "should be at most 80 character(s)" in errors_on(changeset).password
+    end
+
+    test "validates email uniqueness" do
+      %{email: email} = user_fixture()
+      {:error, changeset} = Accounts.register_user(%{email: email})
+      assert "has already been taken" in errors_on(changeset).email
+
+      # Now try with the upper cased email too, to check that email case is ignored.
+      {:error, changeset} = Accounts.register_user(%{email: String.upcase(email)})
+      assert "has already been taken" in errors_on(changeset).email
+    end
+
+    test "registers users with a hashed password" do
+      email = unique_user_email()
+      {:ok, user} = Accounts.register_user(%{email: email, password: valid_user_password()})
+      assert user.email == email
+      assert is_binary(user.hashed_password)
+      assert is_nil(user.confirmed_at)
+      assert is_nil(user.password)
+    end
+  end
+
+  describe "change_user_registration/2" do
+    test "returns a changeset" do
+      assert %Ecto.Changeset{} = changeset = Accounts.change_user_registration(%User{})
+      assert changeset.required == [:password, :email]
+    end
+  end
+
+  describe "change_user_email/2" do
+    test "returns a user changeset" do
+      assert %Ecto.Changeset{} = changeset = Accounts.change_user_email(%User{})
+      assert changeset.required == [:email]
+    end
+  end
+
+  describe "apply_user_email/3" do
+    setup do
+      %{user: user_fixture()}
+    end
+
+    test "requires email to change", %{user: user} do
+      {:error, changeset} = Accounts.apply_user_email(user, valid_user_password(), %{})
+      assert %{email: ["did not change"]} = errors_on(changeset)
+    end
+
+    test "validates email", %{user: user} do
+      {:error, changeset} =
+        Accounts.apply_user_email(user, valid_user_password(), %{email: "not valid"})
+
+      assert %{email: ["must have the @ sign and no spaces"]} = errors_on(changeset)
+    end
+
+    test "validates maximum value for email for security", %{user: user} do
+      too_long = String.duplicate("db", 100)
+
+      {:error, changeset} =
+        Accounts.apply_user_email(user, valid_user_password(), %{email: too_long})
+
+      assert "should be at most 160 character(s)" in errors_on(changeset).email
+    end
+
+    test "validates email uniqueness", %{user: user} do
+      %{email: email} = user_fixture()
+
+      {:error, changeset} =
+        Accounts.apply_user_email(user, valid_user_password(), %{email: email})
+
+      assert "has already been taken" in errors_on(changeset).email
+    end
+
+    test "validates current password", %{user: user} do
+      {:error, changeset} =
+        Accounts.apply_user_email(user, "invalid", %{email: unique_user_email()})
+
+      assert %{current_password: ["is not valid"]} = errors_on(changeset)
+    end
+
+    test "applies the email without persisting it", %{user: user} do
+      email = unique_user_email()
+      {:ok, user} = Accounts.apply_user_email(user, valid_user_password(), %{email: email})
+      assert user.email == email
+      assert Accounts.get_user!(user.id).email != email
+    end
+  end
+
+  describe "deliver_update_email_instructions/3" do
+    setup do
+      %{user: user_fixture()}
+    end
+
+    test "sends token through notification", %{user: user} do
+      token =
+        extract_user_token(fn url ->
+          Accounts.deliver_update_email_instructions(user, "current@example.com", url)
+        end)
+
+      {:ok, token} = Base.url_decode64(token, padding: false)
+      assert user_token = Repo.get_by(UserToken, token: :crypto.hash(:sha256, token))
+      assert user_token.user_id == user.id
+      assert user_token.sent_to == user.email
+      assert user_token.context == "change:current@example.com"
+    end
+  end
+
+  describe "update_user_email/2" do
+    setup do
+      user = user_fixture()
+      email = unique_user_email()
+
+      token =
+        extract_user_token(fn url ->
+          Accounts.deliver_update_email_instructions(%{user | email: email}, user.email, url)
+        end)
+
+      %{user: user, token: token, email: email}
+    end
+
+    test "updates the email with a valid token", %{user: user, token: token, email: email} do
+      assert Accounts.update_user_email(user, token) == :ok
+      changed_user = Repo.get!(User, user.id)
+      assert changed_user.email != user.email
+      assert changed_user.email == email
+      assert changed_user.confirmed_at
+      assert changed_user.confirmed_at != user.confirmed_at
+      refute Repo.get_by(UserToken, user_id: user.id)
+    end
+
+    test "does not update email with invalid token", %{user: user} do
+      assert Accounts.update_user_email(user, "oops") == :error
+      assert Repo.get!(User, user.id).email == user.email
+      assert Repo.get_by(UserToken, user_id: user.id)
+    end
+
+    test "does not update email if user email changed", %{user: user, token: token} do
+      assert Accounts.update_user_email(%{user | email: "current@example.com"}, token) == :error
+      assert Repo.get!(User, user.id).email == user.email
+      assert Repo.get_by(UserToken, user_id: user.id)
+    end
+
+    test "does not update email if token expired", %{user: user, token: token} do
+      {1, nil} = Repo.update_all(UserToken, set: [inserted_at: ~N[2020-01-01 00:00:00]])
+      assert Accounts.update_user_email(user, token) == :error
+      assert Repo.get!(User, user.id).email == user.email
+      assert Repo.get_by(UserToken, user_id: user.id)
+    end
+  end
+
+  describe "change_user_password/2" do
+    test "returns a user changeset" do
+      assert %Ecto.Changeset{} = changeset = Accounts.change_user_password(%User{})
+      assert changeset.required == [:password]
+    end
+  end
+
+  describe "update_user_password/3" do
+    setup do
+      %{user: user_fixture()}
+    end
+
+    test "validates password", %{user: user} do
+      {:error, changeset} =
+        Accounts.update_user_password(user, valid_user_password(), %{
+          password: "not valid",
+          password_confirmation: "another"
+        })
+
+      assert %{
+               password: ["should be at least 12 character(s)"],
+               password_confirmation: ["does not match password"]
+             } = errors_on(changeset)
+    end
+
+    test "validates maximum values for password for security", %{user: user} do
+      too_long = String.duplicate("db", 100)
+
+      {:error, changeset} =
+        Accounts.update_user_password(user, valid_user_password(), %{password: too_long})
+
+      assert "should be at most 80 character(s)" in errors_on(changeset).password
+    end
+
+    test "validates current password", %{user: user} do
+      {:error, changeset} =
+        Accounts.update_user_password(user, "invalid", %{password: valid_user_password()})
+
+      assert %{current_password: ["is not valid"]} = errors_on(changeset)
+    end
+
+    test "updates the password", %{user: user} do
+      {:ok, user} =
+        Accounts.update_user_password(user, valid_user_password(), %{
+          password: "new valid password"
+        })
+
+      assert is_nil(user.password)
+      assert Accounts.get_user_by_email_and_password(user.email, "new valid password")
+    end
+
+    test "deletes all tokens for the given user", %{user: user} do
+      _ = Accounts.generate_user_session_token(user)
+
+      {:ok, _} =
+        Accounts.update_user_password(user, valid_user_password(), %{
+          password: "new valid password"
+        })
+
+      refute Repo.get_by(UserToken, user_id: user.id)
+    end
+  end
+
+  describe "generate_user_session_token/1" do
+    setup do
+      %{user: user_fixture()}
+    end
+
+    test "generates a token", %{user: user} do
+      token = Accounts.generate_user_session_token(user)
+      assert user_token = Repo.get_by(UserToken, token: token)
+      assert user_token.context == "session"
+
+      # Creating the same token for another user should fail
+      assert_raise Ecto.ConstraintError, fn ->
+        Repo.insert!(%UserToken{
+          token: user_token.token,
+          user_id: user_fixture().id,
+          context: "session"
+        })
+      end
+    end
+  end
+
+  describe "get_user_by_session_token/1" do
+    setup do
+      user = user_fixture()
+      token = Accounts.generate_user_session_token(user)
+      %{user: user, token: token}
+    end
+
+    test "returns user by token", %{user: user, token: token} do
+      assert session_user = Accounts.get_user_by_session_token(token)
+      assert session_user.id == user.id
+    end
+
+    test "does not return user for invalid token" do
+      refute Accounts.get_user_by_session_token("oops")
+    end
+
+    test "does not return user for expired token", %{token: token} do
+      {1, nil} = Repo.update_all(UserToken, set: [inserted_at: ~N[2020-01-01 00:00:00]])
+      refute Accounts.get_user_by_session_token(token)
+    end
+  end
+
+  describe "delete_session_token/1" do
+    test "deletes the token" do
+      user = user_fixture()
+      token = Accounts.generate_user_session_token(user)
+      assert Accounts.delete_session_token(token) == :ok
+      refute Accounts.get_user_by_session_token(token)
+    end
+  end
+
+  describe "deliver_user_confirmation_instructions/2" do
+    setup do
+      %{user: user_fixture()}
+    end
+
+    test "sends token through notification", %{user: user} do
+      token =
+        extract_user_token(fn url ->
+          Accounts.deliver_user_confirmation_instructions(user, url)
+        end)
+
+      {:ok, token} = Base.url_decode64(token, padding: false)
+      assert user_token = Repo.get_by(UserToken, token: :crypto.hash(:sha256, token))
+      assert user_token.user_id == user.id
+      assert user_token.sent_to == user.email
+      assert user_token.context == "confirm"
+    end
+  end
+
+  describe "confirm_user/2" do
+    setup do
+      user = user_fixture()
+
+      token =
+        extract_user_token(fn url ->
+          Accounts.deliver_user_confirmation_instructions(user, url)
+        end)
+
+      %{user: user, token: token}
+    end
+
+    test "confirms the email with a valid token", %{user: user, token: token} do
+      assert {:ok, confirmed_user} = Accounts.confirm_user(token)
+      assert confirmed_user.confirmed_at
+      assert confirmed_user.confirmed_at != user.confirmed_at
+      assert Repo.get!(User, user.id).confirmed_at
+      refute Repo.get_by(UserToken, user_id: user.id)
+    end
+
+    test "does not confirm with invalid token", %{user: user} do
+      assert Accounts.confirm_user("oops") == :error
+      refute Repo.get!(User, user.id).confirmed_at
+      assert Repo.get_by(UserToken, user_id: user.id)
+    end
+
+    test "does not confirm email if token expired", %{user: user, token: token} do
+      {1, nil} = Repo.update_all(UserToken, set: [inserted_at: ~N[2020-01-01 00:00:00]])
+      assert Accounts.confirm_user(token) == :error
+      refute Repo.get!(User, user.id).confirmed_at
+      assert Repo.get_by(UserToken, user_id: user.id)
+    end
+  end
+
+  describe "deliver_user_reset_password_instructions/2" do
+    setup do
+      %{user: user_fixture()}
+    end
+
+    test "sends token through notification", %{user: user} do
+      token =
+        extract_user_token(fn url ->
+          Accounts.deliver_user_reset_password_instructions(user, url)
+        end)
+
+      {:ok, token} = Base.url_decode64(token, padding: false)
+      assert user_token = Repo.get_by(UserToken, token: :crypto.hash(:sha256, token))
+      assert user_token.user_id == user.id
+      assert user_token.sent_to == user.email
+      assert user_token.context == "reset_password"
+    end
+  end
+
+  describe "get_user_by_reset_password_token/1" do
+    setup do
+      user = user_fixture()
+
+      token =
+        extract_user_token(fn url ->
+          Accounts.deliver_user_reset_password_instructions(user, url)
+        end)
+
+      %{user: user, token: token}
+    end
+
+    test "returns the user with valid token", %{user: %{id: id}, token: token} do
+      assert %User{id: ^id} = Accounts.get_user_by_reset_password_token(token)
+      assert Repo.get_by(UserToken, user_id: id)
+    end
+
+    test "does not return the user with invalid token", %{user: user} do
+      refute Accounts.get_user_by_reset_password_token("oops")
+      assert Repo.get_by(UserToken, user_id: user.id)
+    end
+
+    test "does not return the user if token expired", %{user: user, token: token} do
+      {1, nil} = Repo.update_all(UserToken, set: [inserted_at: ~N[2020-01-01 00:00:00]])
+      refute Accounts.get_user_by_reset_password_token(token)
+      assert Repo.get_by(UserToken, user_id: user.id)
+    end
+  end
+
+  describe "reset_user_password/2" do
+    setup do
+      %{user: user_fixture()}
+    end
+
+    test "validates password", %{user: user} do
+      {:error, changeset} =
+        Accounts.reset_user_password(user, %{
+          password: "not valid",
+          password_confirmation: "another"
+        })
+
+      assert %{
+               password: ["should be at least 12 character(s)"],
+               password_confirmation: ["does not match password"]
+             } = errors_on(changeset)
+    end
+
+    test "validates maximum values for password for security", %{user: user} do
+      too_long = String.duplicate("db", 100)
+      {:error, changeset} = Accounts.reset_user_password(user, %{password: too_long})
+      assert "should be at most 80 character(s)" in errors_on(changeset).password
+    end
+
+    test "updates the password", %{user: user} do
+      {:ok, updated_user} = Accounts.reset_user_password(user, %{password: "new valid password"})
+      assert is_nil(updated_user.password)
+      assert Accounts.get_user_by_email_and_password(user.email, "new valid password")
+    end
+
+    test "deletes all tokens for the given user", %{user: user} do
+      _ = Accounts.generate_user_session_token(user)
+      {:ok, _} = Accounts.reset_user_password(user, %{password: "new valid password"})
+      refute Repo.get_by(UserToken, user_id: user.id)
+    end
+  end
+
+  describe "inspect/2" do
+    test "does not include password" do
+      refute inspect(%User{password: "123456"}) =~ "password: \"123456\""
+    end
+  end
+end
--- a/test/real_estate_web/controllers/user_auth_test.exs
+++ b/test/real_estate_web/controllers/user_auth_test.exs
@ -0,0 +1,171 @@
+defmodule RealEstateWeb.UserAuthTest do
+  use RealEstateWeb.ConnCase, async: true
+
+  alias RealEstate.Accounts
+  alias RealEstateWeb.UserAuth
+  import RealEstate.AccountsFixtures
+
+  setup %{conn: conn} do
+    conn =
+      conn
+      |> Map.replace!(:secret_key_base, RealEstateWeb.Endpoint.config(:secret_key_base))
+      |> init_test_session(%{})
+
+    %{user: user_fixture(), conn: conn}
+  end
+
+  describe "log_in_user/3" do
+    test "stores the user token in the session", %{conn: conn, user: user} do
+      conn = UserAuth.log_in_user(conn, user)
+      assert token = get_session(conn, :user_token)
+      assert get_session(conn, :live_socket_id) == "users_sessions:#{Base.url_encode64(token)}"
+      assert redirected_to(conn) == "/"
+      assert Accounts.get_user_by_session_token(token)
+    end
+
+    test "clears everything previously stored in the session", %{conn: conn, user: user} do
+      conn = conn |> put_session(:to_be_removed, "value") |> UserAuth.log_in_user(user)
+      refute get_session(conn, :to_be_removed)
+    end
+
+    test "redirects to the configured path", %{conn: conn, user: user} do
+      conn = conn |> put_session(:user_return_to, "/hello") |> UserAuth.log_in_user(user)
+      assert redirected_to(conn) == "/hello"
+    end
+
+    test "writes a cookie if remember_me is configured", %{conn: conn, user: user} do
+      conn = conn |> fetch_cookies() |> UserAuth.log_in_user(user, %{"remember_me" => "true"})
+      assert get_session(conn, :user_token) == conn.cookies["user_remember_me"]
+
+      assert %{value: signed_token, max_age: max_age} = conn.resp_cookies["user_remember_me"]
+      assert signed_token != get_session(conn, :user_token)
+      assert max_age == 5_184_000
+    end
+  end
+
+  describe "logout_user/1" do
+    test "erases session and cookies", %{conn: conn, user: user} do
+      user_token = Accounts.generate_user_session_token(user)
+
+      conn =
+        conn
+        |> put_session(:user_token, user_token)
+        |> put_req_cookie("user_remember_me", user_token)
+        |> fetch_cookies()
+        |> UserAuth.log_out_user()
+
+      refute get_session(conn, :user_token)
+      refute conn.cookies["user_remember_me"]
+      assert %{max_age: 0} = conn.resp_cookies["user_remember_me"]
+      assert redirected_to(conn) == "/"
+      refute Accounts.get_user_by_session_token(user_token)
+    end
+
+    test "broadcasts to the given live_socket_id", %{conn: conn} do
+      live_socket_id = "users_sessions:abcdef-token"
+      RealEstateWeb.Endpoint.subscribe(live_socket_id)
+
+      conn
+      |> put_session(:live_socket_id, live_socket_id)
+      |> UserAuth.log_out_user()
+
+      assert_receive %Phoenix.Socket.Broadcast{
+        event: "disconnect",
+        topic: "users_sessions:abcdef-token"
+      }
+    end
+
+    test "works even if user is already logged out", %{conn: conn} do
+      conn = conn |> fetch_cookies() |> UserAuth.log_out_user()
+      refute get_session(conn, :user_token)
+      assert %{max_age: 0} = conn.resp_cookies["user_remember_me"]
+      assert redirected_to(conn) == "/"
+    end
+  end
+
+  describe "fetch_current_user/2" do
+    test "authenticates user from session", %{conn: conn, user: user} do
+      user_token = Accounts.generate_user_session_token(user)
+      conn = conn |> put_session(:user_token, user_token) |> UserAuth.fetch_current_user([])
+      assert conn.assigns.current_user.id == user.id
+    end
+
+    test "authenticates user from cookies", %{conn: conn, user: user} do
+      logged_in_conn =
+        conn |> fetch_cookies() |> UserAuth.log_in_user(user, %{"remember_me" => "true"})
+
+      user_token = logged_in_conn.cookies["user_remember_me"]
+      %{value: signed_token} = logged_in_conn.resp_cookies["user_remember_me"]
+
+      conn =
+        conn
+        |> put_req_cookie("user_remember_me", signed_token)
+        |> UserAuth.fetch_current_user([])
+
+      assert get_session(conn, :user_token) == user_token
+      assert conn.assigns.current_user.id == user.id
+    end
+
+    test "does not authenticate if data is missing", %{conn: conn, user: user} do
+      _ = Accounts.generate_user_session_token(user)
+      conn = UserAuth.fetch_current_user(conn, [])
+      refute get_session(conn, :user_token)
+      refute conn.assigns.current_user
+    end
+  end
+
+  describe "redirect_if_user_is_authenticated/2" do
+    test "redirects if user is authenticated", %{conn: conn, user: user} do
+      conn = conn |> assign(:current_user, user) |> UserAuth.redirect_if_user_is_authenticated([])
+      assert conn.halted
+      assert redirected_to(conn) == "/"
+    end
+
+    test "does not redirect if user is not authenticated", %{conn: conn} do
+      conn = UserAuth.redirect_if_user_is_authenticated(conn, [])
+      refute conn.halted
+      refute conn.status
+    end
+  end
+
+  describe "require_authenticated_user/2" do
+    test "redirects if user is not authenticated", %{conn: conn} do
+      conn = conn |> fetch_flash() |> UserAuth.require_authenticated_user([])
+      assert conn.halted
+      assert redirected_to(conn) == Routes.user_session_path(conn, :new)
+      assert get_flash(conn, :error) == "You must log in to access this page."
+    end
+
+    test "stores the path to redirect to on GET", %{conn: conn} do
+      halted_conn =
+        %{conn | request_path: "/foo", query_string: ""}
+        |> fetch_flash()
+        |> UserAuth.require_authenticated_user([])
+
+      assert halted_conn.halted
+      assert get_session(halted_conn, :user_return_to) == "/foo"
+
+      halted_conn =
+        %{conn | request_path: "/foo", query_string: "bar=baz"}
+        |> fetch_flash()
+        |> UserAuth.require_authenticated_user([])
+
+      assert halted_conn.halted
+      assert get_session(halted_conn, :user_return_to) == "/foo?bar=baz"
+
+      halted_conn =
+        %{conn | request_path: "/foo?bar", method: "POST"}
+        |> fetch_flash()
+        |> UserAuth.require_authenticated_user([])
+
+      assert halted_conn.halted
+      refute get_session(halted_conn, :user_return_to)
+    end
+
+    test "does not redirect if user is authenticated", %{conn: conn, user: user} do
+      conn = conn |> assign(:current_user, user) |> UserAuth.require_authenticated_user([])
+      refute conn.halted
+      refute conn.status
+    end
+  end
+end
--- a/test/real_estate_web/controllers/user_confirmation_controller_test.exs
+++ b/test/real_estate_web/controllers/user_confirmation_controller_test.exs
@ -0,0 +1,84 @@
+defmodule RealEstateWeb.UserConfirmationControllerTest do
+  use RealEstateWeb.ConnCase, async: true
+
+  alias RealEstate.Accounts
+  alias RealEstate.Repo
+  import RealEstate.AccountsFixtures
+
+  setup do
+    %{user: user_fixture()}
+  end
+
+  describe "GET /users/confirm" do
+    test "renders the confirmation page", %{conn: conn} do
+      conn = get(conn, Routes.user_confirmation_path(conn, :new))
+      response = html_response(conn, 200)
+      assert response =~ "<h1>Resend confirmation instructions</h1>"
+    end
+  end
+
+  describe "POST /users/confirm" do
+    @tag :capture_log
+    test "sends a new confirmation token", %{conn: conn, user: user} do
+      conn =
+        post(conn, Routes.user_confirmation_path(conn, :create), %{
+          "user" => %{"email" => user.email}
+        })
+
+      assert redirected_to(conn) == "/"
+      assert get_flash(conn, :info) =~ "If your email is in our system"
+      assert Repo.get_by!(Accounts.UserToken, user_id: user.id).context == "confirm"
+    end
+
+    test "does not send confirmation token if account is confirmed", %{conn: conn, user: user} do
+      Repo.update!(Accounts.User.confirm_changeset(user))
+
+      conn =
+        post(conn, Routes.user_confirmation_path(conn, :create), %{
+          "user" => %{"email" => user.email}
+        })
+
+      assert redirected_to(conn) == "/"
+      assert get_flash(conn, :info) =~ "If your email is in our system"
+      refute Repo.get_by(Accounts.UserToken, user_id: user.id)
+    end
+
+    test "does not send confirmation token if email is invalid", %{conn: conn} do
+      conn =
+        post(conn, Routes.user_confirmation_path(conn, :create), %{
+          "user" => %{"email" => "unknown@example.com"}
+        })
+
+      assert redirected_to(conn) == "/"
+      assert get_flash(conn, :info) =~ "If your email is in our system"
+      assert Repo.all(Accounts.UserToken) == []
+    end
+  end
+
+  describe "GET /users/confirm/:token" do
+    test "confirms the given token once", %{conn: conn, user: user} do
+      token =
+        extract_user_token(fn url ->
+          Accounts.deliver_user_confirmation_instructions(user, url)
+        end)
+
+      conn = get(conn, Routes.user_confirmation_path(conn, :confirm, token))
+      assert redirected_to(conn) == "/"
+      assert get_flash(conn, :info) =~ "Account confirmed successfully"
+      assert Accounts.get_user!(user.id).confirmed_at
+      refute get_session(conn, :user_token)
+      assert Repo.all(Accounts.UserToken) == []
+
+      conn = get(conn, Routes.user_confirmation_path(conn, :confirm, token))
+      assert redirected_to(conn) == "/"
+      assert get_flash(conn, :error) =~ "Confirmation link is invalid or it has expired"
+    end
+
+    test "does not confirm email with invalid token", %{conn: conn, user: user} do
+      conn = get(conn, Routes.user_confirmation_path(conn, :confirm, "oops"))
+      assert redirected_to(conn) == "/"
+      assert get_flash(conn, :error) =~ "Confirmation link is invalid or it has expired"
+      refute Accounts.get_user!(user.id).confirmed_at
+    end
+  end
+end
--- a/test/real_estate_web/controllers/user_registration_controller_test.exs
+++ b/test/real_estate_web/controllers/user_registration_controller_test.exs
@ -0,0 +1,54 @@
+defmodule RealEstateWeb.UserRegistrationControllerTest do
+  use RealEstateWeb.ConnCase, async: true
+
+  import RealEstate.AccountsFixtures
+
+  describe "GET /users/register" do
+    test "renders registration page", %{conn: conn} do
+      conn = get(conn, Routes.user_registration_path(conn, :new))
+      response = html_response(conn, 200)
+      assert response =~ "<h1>Register</h1>"
+      assert response =~ "Log in</a>"
+      assert response =~ "Register</a>"
+    end
+
+    test "redirects if already logged in", %{conn: conn} do
+      conn = conn |> log_in_user(user_fixture()) |> get(Routes.user_registration_path(conn, :new))
+      assert redirected_to(conn) == "/"
+    end
+  end
+
+  describe "POST /users/register" do
+    @tag :capture_log
+    test "creates account and logs the user in", %{conn: conn} do
+      email = unique_user_email()
+
+      conn =
+        post(conn, Routes.user_registration_path(conn, :create), %{
+          "user" => %{"email" => email, "password" => valid_user_password()}
+        })
+
+      assert get_session(conn, :user_token)
+      assert redirected_to(conn) =~ "/"
+
+      # Now do a logged in request and assert on the menu
+      conn = get(conn, "/")
+      response = html_response(conn, 200)
+      assert response =~ email
+      assert response =~ "Settings</a>"
+      assert response =~ "Log out</a>"
+    end
+
+    test "render errors for invalid data", %{conn: conn} do
+      conn =
+        post(conn, Routes.user_registration_path(conn, :create), %{
+          "user" => %{"email" => "with spaces", "password" => "too short"}
+        })
+
+      response = html_response(conn, 200)
+      assert response =~ "<h1>Register</h1>"
+      assert response =~ "must have the @ sign and no spaces"
+      assert response =~ "should be at least 12 character"
+    end
+  end
+end
--- a/test/real_estate_web/controllers/user_reset_password_controller_test.exs
+++ b/test/real_estate_web/controllers/user_reset_password_controller_test.exs
@ -0,0 +1,113 @@
+defmodule RealEstateWeb.UserResetPasswordControllerTest do
+  use RealEstateWeb.ConnCase, async: true
+
+  alias RealEstate.Accounts
+  alias RealEstate.Repo
+  import RealEstate.AccountsFixtures
+
+  setup do
+    %{user: user_fixture()}
+  end
+
+  describe "GET /users/reset_password" do
+    test "renders the reset password page", %{conn: conn} do
+      conn = get(conn, Routes.user_reset_password_path(conn, :new))
+      response = html_response(conn, 200)
+      assert response =~ "<h1>Forgot your password?</h1>"
+    end
+  end
+
+  describe "POST /users/reset_password" do
+    @tag :capture_log
+    test "sends a new reset password token", %{conn: conn, user: user} do
+      conn =
+        post(conn, Routes.user_reset_password_path(conn, :create), %{
+          "user" => %{"email" => user.email}
+        })
+
+      assert redirected_to(conn) == "/"
+      assert get_flash(conn, :info) =~ "If your email is in our system"
+      assert Repo.get_by!(Accounts.UserToken, user_id: user.id).context == "reset_password"
+    end
+
+    test "does not send reset password token if email is invalid", %{conn: conn} do
+      conn =
+        post(conn, Routes.user_reset_password_path(conn, :create), %{
+          "user" => %{"email" => "unknown@example.com"}
+        })
+
+      assert redirected_to(conn) == "/"
+      assert get_flash(conn, :info) =~ "If your email is in our system"
+      assert Repo.all(Accounts.UserToken) == []
+    end
+  end
+
+  describe "GET /users/reset_password/:token" do
+    setup %{user: user} do
+      token =
+        extract_user_token(fn url ->
+          Accounts.deliver_user_reset_password_instructions(user, url)
+        end)
+
+      %{token: token}
+    end
+
+    test "renders reset password", %{conn: conn, token: token} do
+      conn = get(conn, Routes.user_reset_password_path(conn, :edit, token))
+      assert html_response(conn, 200) =~ "<h1>Reset password</h1>"
+    end
+
+    test "does not render reset password with invalid token", %{conn: conn} do
+      conn = get(conn, Routes.user_reset_password_path(conn, :edit, "oops"))
+      assert redirected_to(conn) == "/"
+      assert get_flash(conn, :error) =~ "Reset password link is invalid or it has expired"
+    end
+  end
+
+  describe "PUT /users/reset_password/:token" do
+    setup %{user: user} do
+      token =
+        extract_user_token(fn url ->
+          Accounts.deliver_user_reset_password_instructions(user, url)
+        end)
+
+      %{token: token}
+    end
+
+    test "resets password once", %{conn: conn, user: user, token: token} do
+      conn =
+        put(conn, Routes.user_reset_password_path(conn, :update, token), %{
+          "user" => %{
+            "password" => "new valid password",
+            "password_confirmation" => "new valid password"
+          }
+        })
+
+      assert redirected_to(conn) == Routes.user_session_path(conn, :new)
+      refute get_session(conn, :user_token)
+      assert get_flash(conn, :info) =~ "Password reset successfully"
+      assert Accounts.get_user_by_email_and_password(user.email, "new valid password")
+    end
+
+    test "does not reset password on invalid data", %{conn: conn, token: token} do
+      conn =
+        put(conn, Routes.user_reset_password_path(conn, :update, token), %{
+          "user" => %{
+            "password" => "too short",
+            "password_confirmation" => "does not match"
+          }
+        })
+
+      response = html_response(conn, 200)
+      assert response =~ "<h1>Reset password</h1>"
+      assert response =~ "should be at least 12 character(s)"
+      assert response =~ "does not match password"
+    end
+
+    test "does not reset password with invalid token", %{conn: conn} do
+      conn = put(conn, Routes.user_reset_password_path(conn, :update, "oops"))
+      assert redirected_to(conn) == "/"
+      assert get_flash(conn, :error) =~ "Reset password link is invalid or it has expired"
+    end
+  end
+end
--- a/test/real_estate_web/controllers/user_session_controller_test.exs
+++ b/test/real_estate_web/controllers/user_session_controller_test.exs
@ -0,0 +1,84 @@
+defmodule RealEstateWeb.UserSessionControllerTest do
+  use RealEstateWeb.ConnCase, async: true
+
+  import RealEstate.AccountsFixtures
+
+  setup do
+    %{user: user_fixture()}
+  end
+
+  describe "GET /users/log_in" do
+    test "renders log in page", %{conn: conn} do
+      conn = get(conn, Routes.user_session_path(conn, :new))
+      response = html_response(conn, 200)
+      assert response =~ "<h1>Log in</h1>"
+      assert response =~ "Log in</a>"
+      assert response =~ "Register</a>"
+    end
+
+    test "redirects if already logged in", %{conn: conn, user: user} do
+      conn = conn |> log_in_user(user) |> get(Routes.user_session_path(conn, :new))
+      assert redirected_to(conn) == "/"
+    end
+  end
+
+  describe "POST /users/log_in" do
+    test "logs the user in", %{conn: conn, user: user} do
+      conn =
+        post(conn, Routes.user_session_path(conn, :create), %{
+          "user" => %{"email" => user.email, "password" => valid_user_password()}
+        })
+
+      assert get_session(conn, :user_token)
+      assert redirected_to(conn) =~ "/"
+
+      # Now do a logged in request and assert on the menu
+      conn = get(conn, "/")
+      response = html_response(conn, 200)
+      assert response =~ user.email
+      assert response =~ "Settings</a>"
+      assert response =~ "Log out</a>"
+    end
+
+    test "logs the user in with remember me", %{conn: conn, user: user} do
+      conn =
+        post(conn, Routes.user_session_path(conn, :create), %{
+          "user" => %{
+            "email" => user.email,
+            "password" => valid_user_password(),
+            "remember_me" => "true"
+          }
+        })
+
+      assert conn.resp_cookies["user_remember_me"]
+      assert redirected_to(conn) =~ "/"
+    end
+
+    test "emits error message with invalid credentials", %{conn: conn, user: user} do
+      conn =
+        post(conn, Routes.user_session_path(conn, :create), %{
+          "user" => %{"email" => user.email, "password" => "invalid_password"}
+        })
+
+      response = html_response(conn, 200)
+      assert response =~ "<h1>Log in</h1>"
+      assert response =~ "Invalid email or password"
+    end
+  end
+
+  describe "DELETE /users/log_out" do
+    test "logs the user out", %{conn: conn, user: user} do
+      conn = conn |> log_in_user(user) |> delete(Routes.user_session_path(conn, :delete))
+      assert redirected_to(conn) == "/"
+      refute get_session(conn, :user_token)
+      assert get_flash(conn, :info) =~ "Logged out successfully"
+    end
+
+    test "succeeds even if the user is not logged in", %{conn: conn} do
+      conn = delete(conn, Routes.user_session_path(conn, :delete))
+      assert redirected_to(conn) == "/"
+      refute get_session(conn, :user_token)
+      assert get_flash(conn, :info) =~ "Logged out successfully"
+    end
+  end
+end
--- a/test/real_estate_web/controllers/user_settings_controller_test.exs
+++ b/test/real_estate_web/controllers/user_settings_controller_test.exs
@ -0,0 +1,125 @@
+defmodule RealEstateWeb.UserSettingsControllerTest do
+  use RealEstateWeb.ConnCase, async: true
+
+  alias RealEstate.Accounts
+  import RealEstate.AccountsFixtures
+
+  setup :register_and_log_in_user
+
+  describe "GET /users/settings" do
+    test "renders settings page", %{conn: conn} do
+      conn = get(conn, Routes.user_settings_path(conn, :edit))
+      response = html_response(conn, 200)
+      assert response =~ "<h1>Settings</h1>"
+    end
+
+    test "redirects if user is not logged in" do
+      conn = build_conn()
+      conn = get(conn, Routes.user_settings_path(conn, :edit))
+      assert redirected_to(conn) == Routes.user_session_path(conn, :new)
+    end
+  end
+
+  describe "PUT /users/settings/update_password" do
+    test "updates the user password and resets tokens", %{conn: conn, user: user} do
+      new_password_conn =
+        put(conn, Routes.user_settings_path(conn, :update_password), %{
+          "current_password" => valid_user_password(),
+          "user" => %{
+            "password" => "new valid password",
+            "password_confirmation" => "new valid password"
+          }
+        })
+
+      assert redirected_to(new_password_conn) == Routes.user_settings_path(conn, :edit)
+      assert get_session(new_password_conn, :user_token) != get_session(conn, :user_token)
+      assert get_flash(new_password_conn, :info) =~ "Password updated successfully"
+      assert Accounts.get_user_by_email_and_password(user.email, "new valid password")
+    end
+
+    test "does not update password on invalid data", %{conn: conn} do
+      old_password_conn =
+        put(conn, Routes.user_settings_path(conn, :update_password), %{
+          "current_password" => "invalid",
+          "user" => %{
+            "password" => "too short",
+            "password_confirmation" => "does not match"
+          }
+        })
+
+      response = html_response(old_password_conn, 200)
+      assert response =~ "<h1>Settings</h1>"
+      assert response =~ "should be at least 12 character(s)"
+      assert response =~ "does not match password"
+      assert response =~ "is not valid"
+
+      assert get_session(old_password_conn, :user_token) == get_session(conn, :user_token)
+    end
+  end
+
+  describe "PUT /users/settings/update_email" do
+    @tag :capture_log
+    test "updates the user email", %{conn: conn, user: user} do
+      conn =
+        put(conn, Routes.user_settings_path(conn, :update_email), %{
+          "current_password" => valid_user_password(),
+          "user" => %{"email" => unique_user_email()}
+        })
+
+      assert redirected_to(conn) == Routes.user_settings_path(conn, :edit)
+      assert get_flash(conn, :info) =~ "A link to confirm your email"
+      assert Accounts.get_user_by_email(user.email)
+    end
+
+    test "does not update email on invalid data", %{conn: conn} do
+      conn =
+        put(conn, Routes.user_settings_path(conn, :update_email), %{
+          "current_password" => "invalid",
+          "user" => %{"email" => "with spaces"}
+        })
+
+      response = html_response(conn, 200)
+      assert response =~ "<h1>Settings</h1>"
+      assert response =~ "must have the @ sign and no spaces"
+      assert response =~ "is not valid"
+    end
+  end
+
+  describe "GET /users/settings/confirm_email/:token" do
+    setup %{user: user} do
+      email = unique_user_email()
+
+      token =
+        extract_user_token(fn url ->
+          Accounts.deliver_update_email_instructions(%{user | email: email}, user.email, url)
+        end)
+
+      %{token: token, email: email}
+    end
+
+    test "updates the user email once", %{conn: conn, user: user, token: token, email: email} do
+      conn = get(conn, Routes.user_settings_path(conn, :confirm_email, token))
+      assert redirected_to(conn) == Routes.user_settings_path(conn, :edit)
+      assert get_flash(conn, :info) =~ "Email changed successfully"
+      refute Accounts.get_user_by_email(user.email)
+      assert Accounts.get_user_by_email(email)
+
+      conn = get(conn, Routes.user_settings_path(conn, :confirm_email, token))
+      assert redirected_to(conn) == Routes.user_settings_path(conn, :edit)
+      assert get_flash(conn, :error) =~ "Email change link is invalid or it has expired"
+    end
+
+    test "does not update email with invalid token", %{conn: conn, user: user} do
+      conn = get(conn, Routes.user_settings_path(conn, :confirm_email, "oops"))
+      assert redirected_to(conn) == Routes.user_settings_path(conn, :edit)
+      assert get_flash(conn, :error) =~ "Email change link is invalid or it has expired"
+      assert Accounts.get_user_by_email(user.email)
+    end
+
+    test "redirects if user is not logged in", %{token: token} do
+      conn = build_conn()
+      conn = get(conn, Routes.user_settings_path(conn, :confirm_email, token))
+      assert redirected_to(conn) == Routes.user_session_path(conn, :new)
+    end
+  end
+end
--- a/test/support/conn_case.ex
+++ b/test/support/conn_case.ex
@ -40,4 +40,30 @@ defmodule RealEstateWeb.ConnCase do

    {:ok, conn: Phoenix.ConnTest.build_conn()}
  end
+
+  @doc """
+  Setup helper that registers and logs in users.
+
+      setup :register_and_log_in_user
+
+  It stores an updated connection and a registered user in the
+  test context.
+  """
+  def register_and_log_in_user(%{conn: conn}) do
+    user = RealEstate.AccountsFixtures.user_fixture()
+    %{conn: log_in_user(conn, user), user: user}
+  end
+
+  @doc """
+  Logs the given `user` into the `conn`.
+
+  It returns an updated `conn`.
+  """
+  def log_in_user(conn, user) do
+    token = RealEstate.Accounts.generate_user_session_token(user)
+
+    conn
+    |> Phoenix.ConnTest.init_test_session(%{})
+    |> Plug.Conn.put_session(:user_token, token)
+  end
 end
--- a/test/support/fixtures/accounts_fixtures.ex
+++ b/test/support/fixtures/accounts_fixtures.ex
@ -0,0 +1,27 @@
+defmodule RealEstate.AccountsFixtures do
+  @moduledoc """
+  This module defines test helpers for creating
+  entities via the `RealEstate.Accounts` context.
+  """
+
+  def unique_user_email, do: "user#{System.unique_integer()}@example.com"
+  def valid_user_password, do: "hello world!"
+
+  def user_fixture(attrs \\ %{}) do
+    {:ok, user} =
+      attrs
+      |> Enum.into(%{
+        email: unique_user_email(),
+        password: valid_user_password()
+      })
+      |> RealEstate.Accounts.register_user()
+
+    user
+  end
+
+  def extract_user_token(fun) do
+    {:ok, captured} = fun.(&"[TOKEN]#{&1}[TOKEN]")
+    [_, token, _] = String.split(captured.body, "[TOKEN]")
+    token
+  end
+end