ash_hq/lib/ash_hq_web/controllers/user_confirmation_controller.ex

defmodule AshHqWeb.UserConfirmationController do
  use AshHqWeb, :controller

  alias AshHq.Accounts
  require Ash.Query

  def new(conn, _params) do
    render(conn, "new.html")
  end

  def create(conn, %{"user" => %{"email" => email}}) do
    user =
      AshHq.Accounts.User
      |> Ash.Query.filter(email == ^email)
      |> AshHq.Accounts.read_one!(authorize?: false)

    if user do
      user
      |> Ash.Changeset.new()
      |> Ash.Changeset.for_update(:deliver_user_confirmation_instructions, %{
        confirmation_url_fun: &Routes.user_confirmation_url(conn, :confirm, &1)
      })
      |> Accounts.update(authorize?: false)
    end

    # Regardless of the outcome, show an impartial success/error message.
    conn
    |> put_flash(
      :info,
      "If your email is in our system and it has not been confirmed yet, " <>
        "you will receive an email with instructions shortly."
    )
    |> redirect(to: "/")
  end

  # Do not log in the user after confirmation to avoid a
  # leaked token giving the user access to the account.
  def confirm(conn, %{"token" => token}) do
    result =
      AshHq.Accounts.User
      |> Ash.Query.for_read(:with_verified_email_token, token: token, context: "confirm")
      |> AshHq.Accounts.read_one!(authorize?: false)
      |> case do
        nil ->
          :error

        user ->
          user
          |> Ash.Changeset.new()
          |> Ash.Changeset.for_update(:confirm, %{delete_confirm_tokens: true, token: token})
          |> AshHq.Accounts.update(authorize?: false)
      end

    case result do
      {:ok, _} ->
        conn
        |> put_flash(:info, "Account confirmed successfully.")
        |> redirect(to: "/")

      :error ->
        # If there is a current user and the account was already confirmed,
        # then odds are that the confirmation link was already visited, either
        # by some automation or by the user themselves, so we redirect without
        # a warning message.
        case conn.assigns do
          %{current_user: %{confirmed_at: confirmed_at}} when not is_nil(confirmed_at) ->
            redirect(conn, to: "/")

          %{} ->
            conn
            |> put_flash(:error, "Account confirmation link is invalid or it has expired.")
            |> redirect(to: "/")
        end
    end
  end
end
improvement: copy over example with auth to ash-hq 2022-08-06 14:08:23 +12:00			`defmodule AshHqWeb.UserConfirmationController do`
			`use AshHqWeb, :controller`

			`alias AshHq.Accounts`
			`require Ash.Query`

			`def new(conn, _params) do`
			`render(conn, "new.html")`
			`end`

			`def create(conn, %{"user" => %{"email" => email}}) do`
			`user =`
			`AshHq.Accounts.User`
			`\|> Ash.Query.filter(email == ^email)`
improvement: turn of csp improvement: add authorization to accounts 2022-08-07 17:07:06 +12:00			`\|> AshHq.Accounts.read_one!(authorize?: false)`
improvement: copy over example with auth to ash-hq 2022-08-06 14:08:23 +12:00
			`if user do`
			`user`
			`\|> Ash.Changeset.new()`
			`\|> Ash.Changeset.for_update(:deliver_user_confirmation_instructions, %{`
			`confirmation_url_fun: &Routes.user_confirmation_url(conn, :confirm, &1)`
			`})`
improvement: turn of csp improvement: add authorization to accounts 2022-08-07 17:07:06 +12:00			`\|> Accounts.update(authorize?: false)`
improvement: copy over example with auth to ash-hq 2022-08-06 14:08:23 +12:00			`end`

			`# Regardless of the outcome, show an impartial success/error message.`
			`conn`
			`\|> put_flash(`
			`:info,`
			`"If your email is in our system and it has not been confirmed yet, " <>`
			`"you will receive an email with instructions shortly."`
			`)`
			`\|> redirect(to: "/")`
			`end`

			`# Do not log in the user after confirmation to avoid a`
			`# leaked token giving the user access to the account.`
			`def confirm(conn, %{"token" => token}) do`
			`result =`
			`AshHq.Accounts.User`
			`\|> Ash.Query.for_read(:with_verified_email_token, token: token, context: "confirm")`
improvement: turn of csp improvement: add authorization to accounts 2022-08-07 17:07:06 +12:00			`\|> AshHq.Accounts.read_one!(authorize?: false)`
improvement: copy over example with auth to ash-hq 2022-08-06 14:08:23 +12:00			`\|> case do`
			`nil ->`
			`:error`

			`user ->`
			`user`
			`\|> Ash.Changeset.new()`
			`\|> Ash.Changeset.for_update(:confirm, %{delete_confirm_tokens: true, token: token})`
improvement: turn of csp improvement: add authorization to accounts 2022-08-07 17:07:06 +12:00			`\|> AshHq.Accounts.update(authorize?: false)`
improvement: copy over example with auth to ash-hq 2022-08-06 14:08:23 +12:00			`end`

			`case result do`
			`{:ok, _} ->`
			`conn`
			`\|> put_flash(:info, "Account confirmed successfully.")`
			`\|> redirect(to: "/")`

			`:error ->`
			`# If there is a current user and the account was already confirmed,`
			`# then odds are that the confirmation link was already visited, either`
			`# by some automation or by the user themselves, so we redirect without`
			`# a warning message.`
			`case conn.assigns do`
			`%{current_user: %{confirmed_at: confirmed_at}} when not is_nil(confirmed_at) ->`
			`redirect(conn, to: "/")`

			`%{} ->`
			`conn`
			`\|> put_flash(:error, "Account confirmation link is invalid or it has expired.")`
			`\|> redirect(to: "/")`
			`end`
			`end`
			`end`
			`end`