Updating documents

Author: andreogle

CLAUDE.md

@@ -14,6 +14,7 @@ These are the rules that must not be forgotten or looked up — they're the ones
 - Never put security codes/tokens in email **subjects** (they show on lock screens). Body only
 - On sensitive account changes (email, password, 2FA), notify the **old** email too
 - Never trust user-controlled redirect targets (e.g. `Referer`) without validating the path starts with `/`
+- Content-Security-Policy ships **strict** in prod (per-request nonce + `strict-dynamic`, via `Plugs.ContentSecurityPolicy` in the `:csp` pipeline). Add third-party origins through the `:csp_extra_sources` config — never by loosening the plug. Inline `<script>` tags must carry `@csp_nonce`. Dev-only routes (`/dev/*`) deliberately skip `:csp` so tooling (the Swoosh mailbox iframe, LiveDashboard) keeps working
 
 **Error handling**
 - Always handle both `{:ok, _}` and `{:error, _}` from context calls — never `{:ok, x} = SomeContext.foo()`
@@ -115,6 +116,7 @@ The template already includes these — extend them, don't rebuild them.
 - Email + password registration, **link-based** email confirmation and password reset (1-hour `UserToken`s; the raw token rides in the email URL, only its SHA3-256 hash is stored). Session tokens use a 60-day sliding window
 - The `User` schema is deliberately minimal: `email`, `hashed_password`, `locale`, `confirmed_at`. Add profile fields (name, avatar, …) per project — there's no `name` column yet
 - Endpoint responses don't leak which emails are registered (resend-confirmation / forgot-password reply identically either way)
+- Account settings (`SettingsController`): link-confirmed **email change** (the link hits `/settings/email/apply-change`; the old address is notified — distinct from the public `/confirm-email` account-activation route), **password change** (invalidates the user's other sessions), and **account deletion**. All three re-verify the current password first
 
 **Realtime** (`ElixirReactStarterWeb.{UserSocket, GlobalChannel, UserChannel}` + `assets/js/realtime/`)
 - Token-authed socket at `/socket`. The provider (mounted in `app-providers.tsx`) auto-joins `global` and `user:<id>` and survives Inertia navigation (keyed on user id, not the rotating token). Hooks: `useConnectionStatus`, `useGlobalChannel`, `useUserChannel`, `useChannel`, `use{Global,User}Event`, `pushChannel`

README.md

@@ -33,7 +33,7 @@ It's provided as-is, with no guarantees or warranties of any kind — use it at
 - **Theming** — light / dark / system with no flash of the wrong theme.
 - **Accessibility** — [Radix UI][radix] primitives, [Biome][biome] a11y linting in CI, and [axe-core][axe] auditing in dev.
 - **Email** — [Swoosh][swoosh] (HTML + text) via [Mailjet][mailjet] in production, with an in-browser mailbox in dev.
-- **Security** — rate-limited auth endpoints, Secure cookies, CSRF protection, and HTTPS/HSTS in production.
+- **Security** — rate-limited auth endpoints, a strict nonce-based [Content-Security-Policy][csp], Secure cookies, CSRF protection, and HTTPS/HSTS in production.
 - **Background jobs** — [Oban][oban], configured and ready.
 - **Testing** — [ExUnit][exunit] with a coverage gate, [ex_machina][exmachina] factories, and a [Playwright][playwright] E2E suite.
 - **Tooling & CI** — [mise][mise]-pinned toolchain, [Biome][biome] / [Credo][credo] / [Dialyzer][dialyxir], and [GitHub Actions][gha].
@@ -157,6 +157,7 @@ Released under the **WTFPL** (see the `LICENSE` file) — do what the fuck you w
 [react-i18next]: https://react.i18next.com/
 [tailwind]: https://tailwindcss.com/
 [radix]: https://www.radix-ui.com/primitives
+[csp]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP
 [biome]: https://biomejs.dev/
 [axe]: https://github.com/dequelabs/axe-core
 [swoosh]: https://hexdocs.pm/swoosh/

docs/e2e-testing.md

@@ -13,8 +13,15 @@ separate project.
 | Spec | Flow |
 | --- | --- |
 | `registration.spec.ts` | Sign up → confirm via the emailed link → land on the dashboard |
-| `login.spec.ts` | Log in to the dashboard; reject bad credentials with a visible error |
+| `login.spec.ts` | Log in; reject bad credentials; an unconfirmed login re-sends the confirmation link instead of starting a session |
+| `logout.spec.ts` | Log out from the header menu → protected pages bounce to `/login` |
+| `resend-confirmation.spec.ts` | Unconfirmed user requests a fresh link from `/login` → confirms |
+| `email-confirmation.spec.ts` | Re-clicking a used link keeps an already-confirmed user on the dashboard; a stale link signed out → resend page |
 | `reset-password.spec.ts` | Request a reset link → set a new password → log in with it |
+| `change-email.spec.ts` | Change email → confirm via the link to the new inbox → log in with it (+ wrong-password rejection) |
+| `change-password.spec.ts` | Change password → old one fails, new one works (+ wrong-password rejection) |
+| `delete-account.spec.ts` | Delete the account behind a password-confirm dialog → can no longer sign in (+ wrong-password rejection) |
+| `auth-guards.spec.ts` | Pipeline redirects: anonymous → `/login`, already signed-in → `/dashboard` |
 | `locale.spec.ts` | Switch the interface language (English → Spanish) |
 
 ## Prerequisites
@@ -79,9 +86,10 @@ they are unreachable in production and cannot affect real data.
 
 ### Link-based flows
 
-Authentication here is link-based, so the registration and reset specs
-read the single-click URL out of the dev mailbox JSON
-(`/dev/mailbox/json`) via `fetchEmailLink/3` and navigate to it.
+Authentication here is link-based, so the link-driven specs (sign-up,
+password reset, email change, resend confirmation) read the single-click
+URL out of the dev mailbox JSON (`/dev/mailbox/json`) via
+`fetchEmailLink/3` and navigate to it.
 
 ## Writing a new test
 
@@ -100,7 +108,7 @@ assets/
   tsconfig.e2e.json         # node-typed TS project for the suite
   e2e/
     global-setup.ts         # runs priv/repo/e2e.exs before the suite
-    helpers.ts              # uniqueEmail, provisionUser, loginAs, fetchEmailLink
+    helpers.ts              # uniqueEmail, provisionUser, loginAs, logoutViaMenu, gotoSettingsViaMenu, fetchEmailLink
     tests/                  # one spec per flow
 priv/repo/e2e.exs           # destructive per-run cleanup (dev/test only)
 lib/elixir_react_starter_web/controllers/dev_e2e_controller.ex  # POST /dev/e2e/users