Add scheduled publishing release note blog post

Includes 7 screenshots demonstrating date filtering, status
banners, editor dashboard, and registration gating.

.beads/.gitignore

@@ -0,0 +1,44 @@
+# SQLite databases
+*.db
+*.db?*
+*.db-journal
+*.db-wal
+*.db-shm
+
+# Daemon runtime files
+daemon.lock
+daemon.log
+daemon.pid
+bd.sock
+sync-state.json
+last-touched
+
+# Local version tracking (prevents upgrade notification spam after git ops)
+.local_version
+
+# Legacy database files
+db.sqlite
+bd.db
+
+# Worktree redirect file (contains relative path to main repo's .beads/)
+# Must not be committed as paths would be wrong in other clones
+redirect
+
+# Merge artifacts (temporary files from 3-way merge)
+beads.base.jsonl
+beads.base.meta.json
+beads.left.jsonl
+beads.left.meta.json
+beads.right.jsonl
+beads.right.meta.json
+
+# Sync state (local-only, per-machine)
+# These files are machine-specific and should not be shared across clones
+.sync.lock
+sync_base.jsonl
+
+# NOTE: Do NOT add negation patterns (e.g., !issues.jsonl) here.
+# They would override fork protection in .git/info/exclude, allowing
+# contributors to accidentally commit upstream issue databases.
+# The JSONL files (issues.jsonl, interactions.jsonl) and config files
+# are tracked by git by default since no pattern above ignores them.

.beads/README.md

@@ -0,0 +1,81 @@
+# Beads - AI-Native Issue Tracking
+
+Welcome to Beads! This repository uses **Beads** for issue tracking - a modern, AI-native tool designed to live directly in your codebase alongside your code.
+
+## What is Beads?
+
+Beads is issue tracking that lives in your repo, making it perfect for AI coding agents and developers who want their issues close to their code. No web UI required - everything works through the CLI and integrates seamlessly with git.
+
+**Learn more:** [github.com/steveyegge/beads](https://github.com/steveyegge/beads)
+
+## Quick Start
+
+### Essential Commands
+
+```bash
+# Create new issues
+bd create "Add user authentication"
+
+# View all issues
+bd list
+
+# View issue details
+bd show <issue-id>
+
+# Update issue status
+bd update <issue-id> --status in_progress
+bd update <issue-id> --status done
+
+# Sync with git remote
+bd sync
+```
+
+### Working with Issues
+
+Issues in Beads are:
+- **Git-native**: Stored in `.beads/issues.jsonl` and synced like code
+- **AI-friendly**: CLI-first design works perfectly with AI coding agents
+- **Branch-aware**: Issues can follow your branch workflow
+- **Always in sync**: Auto-syncs with your commits
+
+## Why Beads?
+
+✨ **AI-Native Design**
+- Built specifically for AI-assisted development workflows
+- CLI-first interface works seamlessly with AI coding agents
+- No context switching to web UIs
+
+🚀 **Developer Focused**
+- Issues live in your repo, right next to your code
+- Works offline, syncs when you push
+- Fast, lightweight, and stays out of your way
+
+🔧 **Git Integration**
+- Automatic sync with git commits
+- Branch-aware issue tracking
+- Intelligent JSONL merge resolution
+
+## Get Started with Beads
+
+Try Beads in your own projects:
+
+```bash
+# Install Beads
+curl -sSL https://raw.githubusercontent.com/steveyegge/beads/main/scripts/install.sh | bash
+
+# Initialize in your repo
+bd init
+
+# Create your first issue
+bd create "Try out Beads"
+```
+
+## Learn More
+
+- **Documentation**: [github.com/steveyegge/beads/docs](https://github.com/steveyegge/beads/tree/main/docs)
+- **Quick Start Guide**: Run `bd quickstart`
+- **Examples**: [github.com/steveyegge/beads/examples](https://github.com/steveyegge/beads/tree/main/examples)
+
+---
+
+*Beads: Issue tracking that moves at the speed of thought* ⚡

.beads/config.yaml

@@ -0,0 +1,62 @@
+# Beads Configuration File
+# This file configures default behavior for all bd commands in this repository
+# All settings can also be set via environment variables (BD_* prefix)
+# or overridden with command-line flags
+
+# Issue prefix for this repository (used by bd init)
+# If not set, bd init will auto-detect from directory name
+# Example: issue-prefix: "myproject" creates issues like "myproject-1", "myproject-2", etc.
+# issue-prefix: ""
+
+# Use no-db mode: load from JSONL, no SQLite, write back after each command
+# When true, bd will use .beads/issues.jsonl as the source of truth
+# instead of SQLite database
+# no-db: false
+
+# Disable daemon for RPC communication (forces direct database access)
+# no-daemon: false
+
+# Disable auto-flush of database to JSONL after mutations
+# no-auto-flush: false
+
+# Disable auto-import from JSONL when it's newer than database
+# no-auto-import: false
+
+# Enable JSON output by default
+# json: false
+
+# Default actor for audit trails (overridden by BD_ACTOR or --actor)
+# actor: ""
+
+# Path to database (overridden by BEADS_DB or --db)
+# db: ""
+
+# Auto-start daemon if not running (can also use BEADS_AUTO_START_DAEMON)
+# auto-start-daemon: true
+
+# Debounce interval for auto-flush (can also use BEADS_FLUSH_DEBOUNCE)
+# flush-debounce: "5s"
+
+# Git branch for beads commits (bd sync will commit to this branch)
+# IMPORTANT: Set this for team projects so all clones use the same sync branch.
+# This setting persists across clones (unlike database config which is gitignored).
+# Can also use BEADS_SYNC_BRANCH env var for local override.
+# If not set, bd sync will require you to run 'bd config set sync.branch <branch>'.
+# sync-branch: "beads-sync"
+
+# Multi-repo configuration (experimental - bd-307)
+# Allows hydrating from multiple repositories and routing writes to the correct JSONL
+# repos:
+#   primary: "."  # Primary repo (where this database lives)
+#   additional:   # Additional repos to hydrate from (read-only)
+#     - ~/beads-planning  # Personal planning repo
+#     - ~/work-planning   # Work planning repo
+
+# Integration settings (access with 'bd config get/set')
+# These are stored in the database, not in this file:
+# - jira.url
+# - jira.project
+# - linear.url
+# - linear.api-key
+# - github.org
+# - github.repo

.beads/issues.jsonl

@@ -0,0 +1,12 @@
+{"id":"firehose-1h8","title":"Verify feeds exclude future-dated posts","description":"## Context\nRSS/Atom feeds call blog.all_posts() which should now filter by date (from Step 1).\nAdd explicit tests confirming feeds exclude future-dated published posts.\n\n## Scope\n- blogex/test/blogex/feed_test.exs\n\n## TDD\nRED: Test RSS and Atom feeds exclude future-dated published posts\nGREEN: Should already pass from Step 1 changes\nREFACTOR: None","status":"closed","priority":2,"issue_type":"task","owner":"willem+gitea@livingsoftware.co.uk","created_at":"2026-04-01T20:07:16.213785081Z","created_by":"Willem van den Ende","updated_at":"2026-04-01T20:38:37.480901856Z","closed_at":"2026-04-01T20:38:37.480901856Z","close_reason":"Closed","dependencies":[{"issue_id":"firehose-1h8","depends_on_id":"firehose-2wc","type":"blocks","created_at":"2026-04-01T20:07:52.701493058Z","created_by":"Willem van den Ende"}]}
+{"id":"firehose-1x3","title":"Make get_post/get_post! search all compiled posts (unfiltered)","description":"## Context\nget_post/1 and get_post!/1 currently search all_posts() (filtered). Change to search @posts (unfiltered)\nso direct URL access works for draft and scheduled posts. Enables preview links for reviewers.\n\n## Scope\n- blogex/lib/blogex/blog.ex: get_post/1, get_post!/1\n- blogex/test/support/fake_blog.ex: get_post/1, get_post!/1\n- blogex/test/blogex/blog_test.exs: update existing tests, add new ones\n\n## TDD\nRED: Test get_post! returns future-dated post, get_post returns draft post\nGREEN: Search @posts instead of all_posts()\nREFACTOR: Update existing test that expects get_post!(\"draft-post\") to raise","status":"closed","priority":2,"issue_type":"task","owner":"willem+gitea@livingsoftware.co.uk","created_at":"2026-04-01T20:07:04.676875214Z","created_by":"Willem van den Ende","updated_at":"2026-04-01T20:39:26.605057721Z","closed_at":"2026-04-01T20:39:26.605057721Z","close_reason":"Closed","dependencies":[{"issue_id":"firehose-1x3","depends_on_id":"firehose-2wc","type":"blocks","created_at":"2026-04-01T20:07:52.666577397Z","created_by":"Willem van den Ende"}]}
+{"id":"firehose-2wc","title":"Add date filtering to Blogex all_posts/0","description":"## Context\nall_posts() in blogex/lib/blogex/blog.ex (line 77-83) currently filters by `published` boolean only.\nAdd `date \u003c= Date.utc_today()` filter so future-dated posts are hidden from public views.\n\n## Scope\n- blogex/lib/blogex/blog.ex: all_posts/0\n- blogex/test/support/fake_blog.ex: all_posts/0\n- blogex/test/blogex/blog_test.exs: new tests\n- blogex/test/support/setup.ex: add future-dated post to default_posts\n\n## TDD\nRED: Test that future-dated published post is excluded from all_posts, posts_by_tag, recent_posts, all_tags\nGREEN: Add date filter after published filter\nREFACTOR: Extract filtering predicate if duplicated","status":"closed","priority":2,"issue_type":"task","owner":"willem+gitea@livingsoftware.co.uk","created_at":"2026-04-01T20:06:54.303723951Z","created_by":"Willem van den Ende","updated_at":"2026-04-01T20:31:20.372076738Z","closed_at":"2026-04-01T20:31:20.372076738Z","close_reason":"Closed"}
+{"id":"firehose-4nq","title":"Add post visibility and days_until_live helpers","description":"## Context\nDashboard and status banners need to compute post visibility (draft/scheduled/live)\nand days until a scheduled post goes live.\n\n## Scope\n- blogex/lib/blogex/post.ex: add visibility/1 and days_until_live/1\n- blogex/test/blogex/post_test.exs: new tests\n\n## TDD\nRED: Test visibility returns :draft/:scheduled/:live correctly, days_until_live returns integer or nil\nGREEN: Implement functions\nREFACTOR: None","status":"closed","priority":2,"issue_type":"task","owner":"willem+gitea@livingsoftware.co.uk","created_at":"2026-04-01T20:07:44.5973142Z","created_by":"Willem van den Ende","updated_at":"2026-04-01T20:24:39.851993851Z","closed_at":"2026-04-01T20:24:39.851993851Z","close_reason":"Closed"}
+{"id":"firehose-4yh","title":"Create LiveView editor dashboard","description":"## Context\nLiveView at /editor/dashboard behind auth. Two tabs: drafts and scheduled.\nUnified timeline across all blogs. Scheduled posts show \"X days until live\".\nLinks to post show page.\n\n## Scope\n- app/lib/firehose_web/live/editor_dashboard_live.ex\n- app/lib/firehose_web/router.ex: add /editor scope\n- app/test/firehose_web/live/editor_dashboard_live_test.exs\n\n## TDD\nRED: Unauth redirected, auth sees dashboard, drafts tab, scheduled tab with countdown, links work\nGREEN: Implement LiveView, add route\nREFACTOR: Extract tab component if markup duplicated","status":"closed","priority":2,"issue_type":"task","owner":"willem+gitea@livingsoftware.co.uk","created_at":"2026-04-01T20:07:44.673871753Z","created_by":"Willem van den Ende","updated_at":"2026-04-01T21:42:49.026878069Z","closed_at":"2026-04-01T21:42:49.026878069Z","close_reason":"Closed","dependencies":[{"issue_id":"firehose-4yh","depends_on_id":"firehose-4nq","type":"blocks","created_at":"2026-04-01T20:08:01.570736282Z","created_by":"Willem van den Ende"},{"issue_id":"firehose-4yh","depends_on_id":"firehose-ai8","type":"blocks","created_at":"2026-04-01T20:08:01.597663464Z","created_by":"Willem van den Ende"},{"issue_id":"firehose-4yh","depends_on_id":"firehose-dhh","type":"blocks","created_at":"2026-04-01T20:08:01.625180883Z","created_by":"Willem van den Ende"}]}
+{"id":"firehose-8zg","title":"Gate registration to ALLOWED_REGISTRATION_EMAIL","description":"## Context\nRegistration must be restricted to a single email from env var.\nUnset = disabled. Wrong email = \"registration is invite only.\"\n\n## Scope\n- app/config/runtime.exs: read ALLOWED_REGISTRATION_EMAIL\n- app/config/test.exs: set test value\n- Registration controller or Accounts context: add validation\n- Registration tests: add gating tests\n\n## TDD\nRED: Registration succeeds for matching email, fails for non-matching, fails when unset\nGREEN: Add config reading + validation check\nREFACTOR: None","status":"closed","priority":2,"issue_type":"task","owner":"willem+gitea@livingsoftware.co.uk","created_at":"2026-04-01T20:07:28.051938506Z","created_by":"Willem van den Ende","updated_at":"2026-04-01T21:39:21.420987916Z","closed_at":"2026-04-01T21:39:21.420987916Z","close_reason":"Closed","dependencies":[{"issue_id":"firehose-8zg","depends_on_id":"firehose-dhh","type":"blocks","created_at":"2026-04-01T20:08:01.502562336Z","created_by":"Willem van den Ende"}]}
+{"id":"firehose-ai8","title":"Add unfiltered post access for dashboard","description":"## Context\nDashboard needs access to all posts including drafts and future-dated.\nAdd unfiltered_posts/0 to Blog macro and all_posts_unfiltered/0 to Registry.\n\n## Scope\n- blogex/lib/blogex/blog.ex: add unfiltered_posts/0\n- blogex/lib/blogex/registry.ex: add all_posts_unfiltered/0\n- blogex/test/support/fake_blog.ex: add unfiltered_posts/0\n- blogex/test/blogex/registry_test.exs: new tests\n\n## TDD\nRED: Test unfiltered returns all posts including drafts and future-dated\nGREEN: Implement functions\nREFACTOR: None","status":"closed","priority":2,"issue_type":"task","owner":"willem+gitea@livingsoftware.co.uk","created_at":"2026-04-01T20:07:44.63593107Z","created_by":"Willem van den Ende","updated_at":"2026-04-01T20:31:20.37549839Z","closed_at":"2026-04-01T20:31:20.37549839Z","close_reason":"Closed"}
+{"id":"firehose-apw","title":"Add integration tests for scheduled post filtering in Phoenix","description":"## Context\nPhoenix blog controller tests need to verify date filtering works end-to-end.\nMay need a far-future markdown test fixture (2099/01-01-future-post.md).\n\n## Scope\n- app/test/firehose_web/controllers/blog_test.exs\n- app/priv/blog/engineering/2099/01-01-future-post.md (test fixture)\n\n## TDD\nRED: Blog index hides future post, show page returns it, tag page excludes it\nGREEN: Should pass from Blogex changes\nREFACTOR: None","status":"closed","priority":2,"issue_type":"task","owner":"willem+gitea@livingsoftware.co.uk","created_at":"2026-04-01T20:07:16.294363414Z","created_by":"Willem van den Ende","updated_at":"2026-04-01T21:47:19.881106002Z","closed_at":"2026-04-01T21:47:19.881106002Z","close_reason":"Closed","dependencies":[{"issue_id":"firehose-apw","depends_on_id":"firehose-2wc","type":"blocks","created_at":"2026-04-01T20:07:52.797645635Z","created_by":"Willem van den Ende"},{"issue_id":"firehose-apw","depends_on_id":"firehose-1x3","type":"blocks","created_at":"2026-04-01T20:07:52.829112074Z","created_by":"Willem van den Ende"}]}
+{"id":"firehose-dhh","title":"Run mix phx.gen.auth and configure","description":"## Context\nNo auth exists. Run mix phx.gen.auth Accounts User users.\nRemove auth links from public nav (login/registration are hidden URLs).\n\n## Scope\n- Generated files in app/lib/firehose/accounts/, app/lib/firehose_web/\n- app/lib/firehose_web/router.ex\n- Layout files (root.html.heex, app.html.heex) — remove injected auth links\n\n## TDD\nRED: Generated tests should pass\nGREEN: Run generator, migrate, verify\nREFACTOR: Remove auth links from public navigation","status":"closed","priority":2,"issue_type":"task","owner":"willem+gitea@livingsoftware.co.uk","created_at":"2026-04-01T20:07:28.010843844Z","created_by":"Willem van den Ende","updated_at":"2026-04-01T20:31:20.37861782Z","closed_at":"2026-04-01T20:31:20.37861782Z","close_reason":"Closed"}
+{"id":"firehose-pp3","title":"Seed demo user in dev","description":"## Context\nSeed demo@example.com / password123 in dev environment only.\nUse Accounts context from phx.gen.auth.\n\n## Scope\n- app/priv/repo/seeds.exs\n\n## TDD\nTrivial — manual verification","status":"closed","priority":2,"issue_type":"task","owner":"willem+gitea@livingsoftware.co.uk","created_at":"2026-04-01T20:07:28.091149857Z","created_by":"Willem van den Ende","updated_at":"2026-04-01T21:37:09.561290121Z","closed_at":"2026-04-01T21:37:09.561290121Z","close_reason":"Closed","dependencies":[{"issue_id":"firehose-pp3","depends_on_id":"firehose-dhh","type":"blocks","created_at":"2026-04-01T20:08:01.537294098Z","created_by":"Willem van den Ende"}]}
+{"id":"firehose-ra3","title":"Show draft/scheduled status banners for authenticated users","description":"## Context\nWhen authenticated user views a draft or scheduled post via direct URL,\nshow a banner: \"Draft — not published\" or \"This post is scheduled for {date}\".\nUnauthenticated users see no banner.\n\n## Scope\n- app/lib/firehose_web/controllers/blog_controller.ex: pass visibility to template\n- app/lib/firehose_web/controllers/blog_html/show.html.heex: conditional banner\n- app/test/firehose_web/controllers/blog_test.exs: banner tests\n\n## TDD\nRED: Auth user sees banner on draft/scheduled, no banner on live, unauth sees no banner\nGREEN: Compute visibility, pass to template, render conditionally\nREFACTOR: Extract banner component if reusable","status":"closed","priority":2,"issue_type":"task","owner":"willem+gitea@livingsoftware.co.uk","created_at":"2026-04-01T20:07:44.713739919Z","created_by":"Willem van den Ende","updated_at":"2026-04-01T21:40:21.809364236Z","closed_at":"2026-04-01T21:40:21.809364236Z","close_reason":"Closed","dependencies":[{"issue_id":"firehose-ra3","depends_on_id":"firehose-4nq","type":"blocks","created_at":"2026-04-01T20:08:01.660225195Z","created_by":"Willem van den Ende"},{"issue_id":"firehose-ra3","depends_on_id":"firehose-dhh","type":"blocks","created_at":"2026-04-01T20:08:01.696919105Z","created_by":"Willem van den Ende"}]}
+{"id":"firehose-vyw","title":"Verify router respects date filtering","description":"## Context\nBlogex.Router index, tag, and feed routes use all_posts()/posts_by_tag() (now filtered).\nThe /:slug route uses get_post() (now unfiltered). Add tests confirming correct behaviour.\n\n## Scope\n- blogex/test/blogex/router_test.exs\n\n## TDD\nRED: Test GET / excludes future posts, GET /tag/:tag excludes, GET /:slug returns future post\nGREEN: Should pass from Steps 1-2\nREFACTOR: None","status":"closed","priority":2,"issue_type":"task","owner":"willem+gitea@livingsoftware.co.uk","created_at":"2026-04-01T20:07:16.253169962Z","created_by":"Willem van den Ende","updated_at":"2026-04-01T21:47:19.87799142Z","closed_at":"2026-04-01T21:47:19.87799142Z","close_reason":"Closed","dependencies":[{"issue_id":"firehose-vyw","depends_on_id":"firehose-2wc","type":"blocks","created_at":"2026-04-01T20:07:52.73739353Z","created_by":"Willem van den Ende"},{"issue_id":"firehose-vyw","depends_on_id":"firehose-1x3","type":"blocks","created_at":"2026-04-01T20:07:52.770379034Z","created_by":"Willem van den Ende"}]}

.beads/metadata.json

@@ -0,0 +1,4 @@
+{
+  "database": "beads.db",
+  "jsonl_export": "issues.jsonl"
+}

app/AGENTS.md

@@ -44,6 +44,37 @@ custom classes must fully style the input
 - Focus on **delightful details** like hover effects, loading states, and smooth page transitions
 
 
+<!-- phoenix-gen-auth-start -->
+## Authentication
+
+- **Always** handle authentication flow at the router level with proper redirects
+- **Always** be mindful of where to place routes. `phx.gen.auth` creates multiple router plugs:
+  - A plug `:fetch_current_scope_for_user` that is included in the default browser pipeline
+  - A plug `:require_authenticated_user` that redirects to the log in page when the user is not authenticated
+  - In both cases, a `@current_scope` is assigned to the Plug connection
+  - A plug `redirect_if_user_is_authenticated` that redirects to a default path in case the user is authenticated - useful for a registration page that should only be shown to unauthenticated users
+- **Always let the user know in which router scopes and pipeline you are placing the route, AND SAY WHY**
+- `phx.gen.auth` assigns the `current_scope` assign - it **does not assign a `current_user` assign**
+- Always pass the assign `current_scope` to context modules as first argument. When performing queries, use `current_scope.user` to filter the query results
+- To derive/access `current_user` in templates, **always use the `@current_scope.user`**, never use **`@current_user`** in templates
+- Anytime you hit `current_scope` errors or the logged in session isn't displaying the right content, **always double check the router and ensure you are using the correct plug as described below**
+
+### Routes that require authentication
+
+Controller routes must be placed in a scope that sets the `:require_authenticated_user` plug:
+
+    scope "/", AppWeb do
+      pipe_through [:browser, :require_authenticated_user]
+
+      get "/", MyControllerThatRequiresAuth, :index
+    end
+
+### Routes that work with or without authentication
+
+Controllers automatically have the `current_scope` available if they use the `:browser` pipeline.
+
+<!-- phoenix-gen-auth-end -->
+
 <!-- usage-rules-start -->
 
 <!-- phoenix:elixir-start -->

app/config/config.exs

@@ -7,6 +7,19 @@
 # General application configuration
 import Config
 
+config :firehose, :scopes,
+  user: [
+    default: true,
+    module: Firehose.Accounts.Scope,
+    assign_key: :current_scope,
+    access_path: [:user, :id],
+    schema_key: :user_id,
+    schema_type: :id,
+    schema_table: :users,
+    test_data_fixture: Firehose.AccountsFixtures,
+    test_setup_helper: :register_and_log_in_user
+  ]
+
 config :firehose,
   ecto_repos: [Firehose.Repo],
   generators: [timestamp_type: :utc_datetime]

app/config/runtime.exs

@@ -20,6 +20,8 @@ if System.get_env("PHX_SERVER") do
   config :firehose, FirehoseWeb.Endpoint, server: true
 end
 
+config :firehose, :allowed_registration_email, System.get_env("ALLOWED_REGISTRATION_EMAIL")
+
 if config_env() == :prod do
   database_url =
     System.get_env("DATABASE_URL") ||

app/config/test.exs

@@ -1,5 +1,8 @@
 import Config
 
+# Only in tests, remove the complexity from the password hashing algorithm
+config :bcrypt_elixir, :log_rounds, 1
+
 # Configure your database
 #
 # The MIX_TEST_PARTITION environment variable can be used
@@ -35,3 +38,5 @@ config :phoenix, :plug_init_mode, :runtime
 # Enable helpful, but potentially expensive runtime checks
 config :phoenix_live_view,
   enable_expensive_runtime_checks: true
+
+config :firehose, :allowed_registration_email, nil

app/lib/firehose/accounts.ex

@@ -0,0 +1,297 @@
+defmodule Firehose.Accounts do
+  @moduledoc """
+  The Accounts context.
+  """
+
+  import Ecto.Query, warn: false
+  alias Firehose.Repo
+
+  alias Firehose.Accounts.{User, UserToken, UserNotifier}
+
+  ## Database getters
+
+  @doc """
+  Gets a user by email.
+
+  ## Examples
+
+      iex> get_user_by_email("foo@example.com")
+      %User{}
+
+      iex> get_user_by_email("unknown@example.com")
+      nil
+
+  """
+  def get_user_by_email(email) when is_binary(email) do
+    Repo.get_by(User, email: email)
+  end
+
+  @doc """
+  Gets a user by email and password.
+
+  ## Examples
+
+      iex> get_user_by_email_and_password("foo@example.com", "correct_password")
+      %User{}
+
+      iex> get_user_by_email_and_password("foo@example.com", "invalid_password")
+      nil
+
+  """
+  def get_user_by_email_and_password(email, password)
+      when is_binary(email) and is_binary(password) do
+    user = Repo.get_by(User, email: email)
+    if User.valid_password?(user, password), do: user
+  end
+
+  @doc """
+  Gets a single user.
+
+  Raises `Ecto.NoResultsError` if the User does not exist.
+
+  ## Examples
+
+      iex> get_user!(123)
+      %User{}
+
+      iex> get_user!(456)
+      ** (Ecto.NoResultsError)
+
+  """
+  def get_user!(id), do: Repo.get!(User, id)
+
+  ## User registration
+
+  @doc """
+  Registers a user.
+
+  ## Examples
+
+      iex> register_user(%{field: value})
+      {:ok, %User{}}
+
+      iex> register_user(%{field: bad_value})
+      {:error, %Ecto.Changeset{}}
+
+  """
+  def register_user(attrs) do
+    %User{}
+    |> User.email_changeset(attrs)
+    |> Repo.insert()
+  end
+
+  ## Settings
+
+  @doc """
+  Checks whether the user is in sudo mode.
+
+  The user is in sudo mode when the last authentication was done no further
+  than 20 minutes ago. The limit can be given as second argument in minutes.
+  """
+  def sudo_mode?(user, minutes \\ -20)
+
+  def sudo_mode?(%User{authenticated_at: ts}, minutes) when is_struct(ts, DateTime) do
+    DateTime.after?(ts, DateTime.utc_now() |> DateTime.add(minutes, :minute))
+  end
+
+  def sudo_mode?(_user, _minutes), do: false
+
+  @doc """
+  Returns an `%Ecto.Changeset{}` for changing the user email.
+
+  See `Firehose.Accounts.User.email_changeset/3` for a list of supported options.
+
+  ## Examples
+
+      iex> change_user_email(user)
+      %Ecto.Changeset{data: %User{}}
+
+  """
+  def change_user_email(user, attrs \\ %{}, opts \\ []) do
+    User.email_changeset(user, attrs, opts)
+  end
+
+  @doc """
+  Updates the user email using the given token.
+
+  If the token matches, the user email is updated and the token is deleted.
+  """
+  def update_user_email(user, token) do
+    context = "change:#{user.email}"
+
+    Repo.transact(fn ->
+      with {:ok, query} <- UserToken.verify_change_email_token_query(token, context),
+           %UserToken{sent_to: email} <- Repo.one(query),
+           {:ok, user} <- Repo.update(User.email_changeset(user, %{email: email})),
+           {_count, _result} <-
+             Repo.delete_all(from(UserToken, where: [user_id: ^user.id, context: ^context])) do
+        {:ok, user}
+      else
+        _ -> {:error, :transaction_aborted}
+      end
+    end)
+  end
+
+  @doc """
+  Returns an `%Ecto.Changeset{}` for changing the user password.
+
+  See `Firehose.Accounts.User.password_changeset/3` for a list of supported options.
+
+  ## Examples
+
+      iex> change_user_password(user)
+      %Ecto.Changeset{data: %User{}}
+
+  """
+  def change_user_password(user, attrs \\ %{}, opts \\ []) do
+    User.password_changeset(user, attrs, opts)
+  end
+
+  @doc """
+  Updates the user password.
+
+  Returns a tuple with the updated user, as well as a list of expired tokens.
+
+  ## Examples
+
+      iex> update_user_password(user, %{password: ...})
+      {:ok, {%User{}, [...]}}
+
+      iex> update_user_password(user, %{password: "too short"})
+      {:error, %Ecto.Changeset{}}
+
+  """
+  def update_user_password(user, attrs) do
+    user
+    |> User.password_changeset(attrs)
+    |> update_user_and_delete_all_tokens()
+  end
+
+  ## Session
+
+  @doc """
+  Generates a session token.
+  """
+  def generate_user_session_token(user) do
+    {token, user_token} = UserToken.build_session_token(user)
+    Repo.insert!(user_token)
+    token
+  end
+
+  @doc """
+  Gets the user with the given signed token.
+
+  If the token is valid `{user, token_inserted_at}` is returned, otherwise `nil` is returned.
+  """
+  def get_user_by_session_token(token) do
+    {:ok, query} = UserToken.verify_session_token_query(token)
+    Repo.one(query)
+  end
+
+  @doc """
+  Gets the user with the given magic link token.
+  """
+  def get_user_by_magic_link_token(token) do
+    with {:ok, query} <- UserToken.verify_magic_link_token_query(token),
+         {user, _token} <- Repo.one(query) do
+      user
+    else
+      _ -> nil
+    end
+  end
+
+  @doc """
+  Logs the user in by magic link.
+
+  There are three cases to consider:
+
+  1. The user has already confirmed their email. They are logged in
+     and the magic link is expired.
+
+  2. The user has not confirmed their email and no password is set.
+     In this case, the user gets confirmed, logged in, and all tokens -
+     including session ones - are expired. In theory, no other tokens
+     exist but we delete all of them for best security practices.
+
+  3. The user has not confirmed their email but a password is set.
+     This cannot happen in the default implementation but may be the
+     source of security pitfalls. See the "Mixing magic link and password registration" section of
+     `mix help phx.gen.auth`.
+  """
+  def login_user_by_magic_link(token) do
+    {:ok, query} = UserToken.verify_magic_link_token_query(token)
+
+    case Repo.one(query) do
+      # Prevent session fixation attacks by disallowing magic links for unconfirmed users with password
+      {%User{confirmed_at: nil, hashed_password: hash}, _token} when not is_nil(hash) ->
+        raise """
+        magic link log in is not allowed for unconfirmed users with a password set!
+
+        This cannot happen with the default implementation, which indicates that you
+        might have adapted the code to a different use case. Please make sure to read the
+        "Mixing magic link and password registration" section of `mix help phx.gen.auth`.
+        """
+
+      {%User{confirmed_at: nil} = user, _token} ->
+        user
+        |> User.confirm_changeset()
+        |> update_user_and_delete_all_tokens()
+
+      {user, token} ->
+        Repo.delete!(token)
+        {:ok, {user, []}}
+
+      nil ->
+        {:error, :not_found}
+    end
+  end
+
+  @doc ~S"""
+  Delivers the update email instructions to the given user.
+
+  ## Examples
+
+      iex> deliver_user_update_email_instructions(user, current_email, &url(~p"/users/settings/confirm-email/#{&1}"))
+      {:ok, %{to: ..., body: ...}}
+
+  """
+  def deliver_user_update_email_instructions(%User{} = user, current_email, update_email_url_fun)
+      when is_function(update_email_url_fun, 1) do
+    {encoded_token, user_token} = UserToken.build_email_token(user, "change:#{current_email}")
+
+    Repo.insert!(user_token)
+    UserNotifier.deliver_update_email_instructions(user, update_email_url_fun.(encoded_token))
+  end
+
+  @doc """
+  Delivers the magic link login instructions to the given user.
+  """
+  def deliver_login_instructions(%User{} = user, magic_link_url_fun)
+      when is_function(magic_link_url_fun, 1) do
+    {encoded_token, user_token} = UserToken.build_email_token(user, "login")
+    Repo.insert!(user_token)
+    UserNotifier.deliver_login_instructions(user, magic_link_url_fun.(encoded_token))
+  end
+
+  @doc """
+  Deletes the signed token with the given context.
+  """
+  def delete_user_session_token(token) do
+    Repo.delete_all(from(UserToken, where: [token: ^token, context: "session"]))
+    :ok
+  end
+
+  ## Token helper
+
+  defp update_user_and_delete_all_tokens(changeset) do
+    Repo.transact(fn ->
+      with {:ok, user} <- Repo.update(changeset) do
+        tokens_to_expire = Repo.all_by(UserToken, user_id: user.id)
+
+        Repo.delete_all(from(t in UserToken, where: t.id in ^Enum.map(tokens_to_expire, & &1.id)))
+
+        {:ok, {user, tokens_to_expire}}
+      end
+    end)
+  end
+end

app/lib/firehose/accounts/scope.ex

@@ -0,0 +1,33 @@
+defmodule Firehose.Accounts.Scope do
+  @moduledoc """
+  Defines the scope of the caller to be used throughout the app.
+
+  The `Firehose.Accounts.Scope` allows public interfaces to receive
+  information about the caller, such as if the call is initiated from an
+  end-user, and if so, which user. Additionally, such a scope can carry fields
+  such as "super user" or other privileges for use as authorization, or to
+  ensure specific code paths can only be access for a given scope.
+
+  It is useful for logging as well as for scoping pubsub subscriptions and
+  broadcasts when a caller subscribes to an interface or performs a particular
+  action.
+
+  Feel free to extend the fields on this struct to fit the needs of
+  growing application requirements.
+  """
+
+  alias Firehose.Accounts.User
+
+  defstruct user: nil
+
+  @doc """
+  Creates a scope for the given user.
+
+  Returns nil if no user is given.
+  """
+  def for_user(%User{} = user) do
+    %__MODULE__{user: user}
+  end
+
+  def for_user(nil), do: nil
+end

app/lib/firehose/accounts/user.ex

@@ -0,0 +1,132 @@
+defmodule Firehose.Accounts.User do
+  use Ecto.Schema
+  import Ecto.Changeset
+
+  schema "users" do
+    field :email, :string
+    field :password, :string, virtual: true, redact: true
+    field :hashed_password, :string, redact: true
+    field :confirmed_at, :utc_datetime
+    field :authenticated_at, :utc_datetime, virtual: true
+
+    timestamps(type: :utc_datetime)
+  end
+
+  @doc """
+  A user changeset for registering or changing the email.
+
+  It requires the email to change otherwise an error is added.
+
+  ## Options
+
+    * `:validate_unique` - Set to false if you don't want to validate the
+      uniqueness of the email, useful when displaying live validations.
+      Defaults to `true`.
+  """
+  def email_changeset(user, attrs, opts \\ []) do
+    user
+    |> cast(attrs, [:email])
+    |> validate_email(opts)
+  end
+
+  defp validate_email(changeset, opts) do
+    changeset =
+      changeset
+      |> validate_required([:email])
+      |> validate_format(:email, ~r/^[^@,;\s]+@[^@,;\s]+$/,
+        message: "must have the @ sign and no spaces"
+      )
+      |> validate_length(:email, max: 160)
+
+    if Keyword.get(opts, :validate_unique, true) do
+      changeset
+      |> unsafe_validate_unique(:email, Firehose.Repo)
+      |> unique_constraint(:email)
+      |> validate_email_changed()
+    else
+      changeset
+    end
+  end
+
+  defp validate_email_changed(changeset) do
+    if get_field(changeset, :email) && get_change(changeset, :email) == nil do
+      add_error(changeset, :email, "did not change")
+    else
+      changeset
+    end
+  end
+
+  @doc """
+  A user changeset for changing the password.
+
+  It is important to validate the length of the password, as long passwords may
+  be very expensive to hash for certain algorithms.
+
+  ## Options
+
+    * `:hash_password` - Hashes the password so it can be stored securely
+      in the database and ensures the password field is cleared to prevent
+      leaks in the logs. If password hashing is not needed and clearing the
+      password field is not desired (like when using this changeset for
+      validations on a LiveView form), this option can be set to `false`.
+      Defaults to `true`.
+  """
+  def password_changeset(user, attrs, opts \\ []) do
+    user
+    |> cast(attrs, [:password])
+    |> validate_confirmation(:password, message: "does not match password")
+    |> validate_password(opts)
+  end
+
+  defp validate_password(changeset, opts) do
+    changeset
+    |> validate_required([:password])
+    |> validate_length(:password, min: 12, max: 72)
+    # Examples of additional password validation:
+    # |> validate_format(:password, ~r/[a-z]/, message: "at least one lower case character")
+    # |> validate_format(:password, ~r/[A-Z]/, message: "at least one upper case character")
+    # |> validate_format(:password, ~r/[!?@#$%^&*_0-9]/, message: "at least one digit or punctuation character")
+    |> maybe_hash_password(opts)
+  end
+
+  defp maybe_hash_password(changeset, opts) do
+    hash_password? = Keyword.get(opts, :hash_password, true)
+    password = get_change(changeset, :password)
+
+    if hash_password? && password && changeset.valid? do
+      changeset
+      # If using Bcrypt, then further validate it is at most 72 bytes long
+      |> validate_length(:password, max: 72, count: :bytes)
+      # Hashing could be done with `Ecto.Changeset.prepare_changes/2`, but that
+      # would keep the database transaction open longer and hurt performance.
+      |> put_change(:hashed_password, Bcrypt.hash_pwd_salt(password))
+      |> delete_change(:password)
+    else
+      changeset
+    end
+  end
+
+  @doc """
+  Confirms the account by setting `confirmed_at`.
+  """
+  def confirm_changeset(user) do
+    now = DateTime.utc_now(:second)
+    change(user, confirmed_at: now)
+  end
+
+  @doc """
+  Verifies the password.
+
+  If there is no user or the user doesn't have a password, we call
+  `Bcrypt.no_user_verify/0` to avoid timing attacks.
+  """
+  def valid_password?(%Firehose.Accounts.User{hashed_password: hashed_password}, password)
+      when is_binary(hashed_password) and byte_size(password) > 0 do
+    Bcrypt.verify_pass(password, hashed_password)
+  end
+
+  def valid_password?(_, _) do
+    Bcrypt.no_user_verify()
+    false
+  end
+end

app/lib/firehose/accounts/user_notifier.ex

@@ -0,0 +1,84 @@
+defmodule Firehose.Accounts.UserNotifier do
+  import Swoosh.Email
+
+  alias Firehose.Mailer
+  alias Firehose.Accounts.User
+
+  # Delivers the email using the application mailer.
+  defp deliver(recipient, subject, body) do
+    email =
+      new()
+      |> to(recipient)
+      |> from({"Firehose", "contact@example.com"})
+      |> subject(subject)
+      |> text_body(body)
+
+    with {:ok, _metadata} <- Mailer.deliver(email) do
+      {:ok, email}
+    end
+  end
+
+  @doc """
+  Deliver instructions to update a user email.
+  """
+  def deliver_update_email_instructions(user, url) do
+    deliver(user.email, "Update email instructions", """
+
+    ==============================
+
+    Hi #{user.email},
+
+    You can change your email by visiting the URL below:
+
+    #{url}
+
+    If you didn't request this change, please ignore this.
+
+    ==============================
+    """)
+  end
+
+  @doc """
+  Deliver instructions to log in with a magic link.
+  """
+  def deliver_login_instructions(user, url) do
+    case user do
+      %User{confirmed_at: nil} -> deliver_confirmation_instructions(user, url)
+      _ -> deliver_magic_link_instructions(user, url)
+    end
+  end
+
+  defp deliver_magic_link_instructions(user, url) do
+    deliver(user.email, "Log in instructions", """
+
+    ==============================
+
+    Hi #{user.email},
+
+    You can log into your account by visiting the URL below:
+
+    #{url}
+
+    If you didn't request this email, please ignore this.
+
+    ==============================
+    """)
+  end
+
+  defp deliver_confirmation_instructions(user, url) do
+    deliver(user.email, "Confirmation instructions", """
+
+    ==============================
+
+    Hi #{user.email},
+
+    You can confirm your account by visiting the URL below:
+
+    #{url}
+
+    If you didn't create an account with us, please ignore this.
+
+    ==============================
+    """)
+  end
+end

app/lib/firehose/accounts/user_token.ex

@@ -0,0 +1,156 @@
+defmodule Firehose.Accounts.UserToken do
+  use Ecto.Schema
+  import Ecto.Query
+  alias Firehose.Accounts.UserToken
+
+  @hash_algorithm :sha256
+  @rand_size 32
+
+  # It is very important to keep the magic link token expiry short,
+  # since someone with access to the email may take over the account.
+  @magic_link_validity_in_minutes 15
+  @change_email_validity_in_days 7
+  @session_validity_in_days 14
+
+  schema "users_tokens" do
+    field :token, :binary
+    field :context, :string
+    field :sent_to, :string
+    field :authenticated_at, :utc_datetime
+    belongs_to :user, Firehose.Accounts.User
+
+    timestamps(type: :utc_datetime, updated_at: false)
+  end
+
+  @doc """
+  Generates a token that will be stored in a signed place,
+  such as session or cookie. As they are signed, those
+  tokens do not need to be hashed.
+
+  The reason why we store session tokens in the database, even
+  though Phoenix already provides a session cookie, is because
+  Phoenix's default session cookies are not persisted, they are
+  simply signed and potentially encrypted. This means they are
+  valid indefinitely, unless you change the signing/encryption
+  salt.
+
+  Therefore, storing them allows individual user
+  sessions to be expired. The token system can also be extended
+  to store additional data, such as the device used for logging in.
+  You could then use this information to display all valid sessions
+  and devices in the UI and allow users to explicitly expire any
+  session they deem invalid.
+  """
+  def build_session_token(user) do
+    token = :crypto.strong_rand_bytes(@rand_size)
+    dt = user.authenticated_at || DateTime.utc_now(:second)
+    {token, %UserToken{token: token, context: "session", user_id: user.id, authenticated_at: dt}}
+  end
+
+  @doc """
+  Checks if the token is valid and returns its underlying lookup query.
+
+  The query returns the user found by the token, if any, along with the token's creation time.
+
+  The token is valid if it matches the value in the database and it has
+  not expired (after @session_validity_in_days).
+  """
+  def verify_session_token_query(token) do
+    query =
+      from token in by_token_and_context_query(token, "session"),
+        join: user in assoc(token, :user),
+        where: token.inserted_at > ago(@session_validity_in_days, "day"),
+        select: {%{user | authenticated_at: token.authenticated_at}, token.inserted_at}
+
+    {:ok, query}
+  end
+
+  @doc """
+  Builds a token and its hash to be delivered to the user's email.
+
+  The non-hashed token is sent to the user email while the
+  hashed part is stored in the database. The original token cannot be reconstructed,
+  which means anyone with read-only access to the database cannot directly use
+  the token in the application to gain access. Furthermore, if the user changes
+  their email in the system, the tokens sent to the previous email are no longer
+  valid.
+
+  Users can easily adapt the existing code to provide other types of delivery methods,
+  for example, by phone numbers.
+  """
+  def build_email_token(user, context) do
+    build_hashed_token(user, context, user.email)
+  end
+
+  defp build_hashed_token(user, context, sent_to) do
+    token = :crypto.strong_rand_bytes(@rand_size)
+    hashed_token = :crypto.hash(@hash_algorithm, token)
+
+    {Base.url_encode64(token, padding: false),
+     %UserToken{
+       token: hashed_token,
+       context: context,
+       sent_to: sent_to,
+       user_id: user.id
+     }}
+  end
+
+  @doc """
+  Checks if the token is valid and returns its underlying lookup query.
+
+  If found, the query returns a tuple of the form `{user, token}`.
+
+  The given token is valid if it matches its hashed counterpart in the
+  database. This function also checks whether the token has expired. The context
+  of a magic link token is always "login".
+  """
+  def verify_magic_link_token_query(token) do
+    case Base.url_decode64(token, padding: false) do
+      {:ok, decoded_token} ->
+        hashed_token = :crypto.hash(@hash_algorithm, decoded_token)
+
+        query =
+          from token in by_token_and_context_query(hashed_token, "login"),
+            join: user in assoc(token, :user),
+            where: token.inserted_at > ago(^@magic_link_validity_in_minutes, "minute"),
+            where: token.sent_to == user.email,
+            select: {user, token}
+
+        {:ok, query}
+
+      :error ->
+        :error
+    end
+  end
+
+  @doc """
+  Checks if the token is valid and returns its underlying lookup query.
+
+  The query returns the user_token found by the token, if any.
+
+  This is used to validate requests to change the user
+  email.
+  The given token is valid if it matches its hashed counterpart in the
+  database and if it has not expired (after @change_email_validity_in_days).
+  The context must always start with "change:".
+  """
+  def verify_change_email_token_query(token, "change:" <> _ = context) do
+    case Base.url_decode64(token, padding: false) do
+      {:ok, decoded_token} ->
+        hashed_token = :crypto.hash(@hash_algorithm, decoded_token)
+
+        query =
+          from token in by_token_and_context_query(hashed_token, context),
+            where: token.inserted_at > ago(@change_email_validity_in_days, "day")
+
+        {:ok, query}
+
+      :error ->
+        :error
+    end
+  end
+
+  defp by_token_and_context_query(token, context) do
+    from UserToken, where: [token: ^token, context: ^context]
+  end
+end

app/lib/firehose_web/components/layouts.ex

@@ -9,6 +9,7 @@ defmodule FirehoseWeb.Layouts do
   # The default root.html.heex file contains the HTML
   # skeleton of your application, namely HTML headers
   # and other static content.
+
   embed_templates "layouts/*"
 
   @doc """

app/lib/firehose_web/controllers/blog_controller.ex

@@ -22,11 +22,14 @@ defmodule FirehoseWeb.BlogController do
   def show(conn, %{"slug" => slug}) do
     blog = conn.assigns.blog
     post = blog.get_post!(slug)
+    visibility = Blogex.Post.visibility(post)
 
     render(conn, :show,
       page_title: post.title,
       post: post,
-      base_path: blog.base_path()
+      base_path: blog.base_path(),
+      visibility: visibility,
+      authenticated: !!(conn.assigns[:current_scope] && conn.assigns.current_scope.user)
     )
   end
 

app/lib/firehose_web/controllers/blog_html/show.html.heex

@@ -1,4 +1,23 @@
 <div class="space-y-8">
   <a href={@base_path} class="text-sm text-primary hover:underline">&larr; Back to posts</a>
+
+  <%= if @authenticated and @visibility == :draft do %>
+    <div
+      class="rounded-lg bg-amber-50 border border-amber-200 px-4 py-3 text-amber-800 text-sm font-medium"
+      id="post-status-banner"
+    >
+      Draft — not published
+    </div>
+  <% end %>
+
+  <%= if @authenticated and @visibility == :scheduled do %>
+    <div
+      class="rounded-lg bg-blue-50 border border-blue-200 px-4 py-3 text-blue-800 text-sm font-medium"
+      id="post-status-banner"
+    >
+      This post is scheduled for {Calendar.strftime(@post.date, "%B %d, %Y")}
+    </div>
+  <% end %>
+
   <.post_show post={@post} base_path={@base_path} />
 </div>

app/lib/firehose_web/controllers/user_registration_controller.ex

@@ -0,0 +1,44 @@
+defmodule FirehoseWeb.UserRegistrationController do
+  use FirehoseWeb, :controller
+
+  alias Firehose.Accounts
+  alias Firehose.Accounts.User
+
+  def new(conn, _params) do
+    changeset = Accounts.change_user_email(%User{})
+    render(conn, :new, changeset: changeset)
+  end
+
+  def create(conn, %{"user" => user_params}) do
+    allowed_email = Application.get_env(:firehose, :allowed_registration_email)
+
+    if allowed_email == nil or user_params["email"] != allowed_email do
+      changeset =
+        %User{}
+        |> Accounts.change_user_email(user_params)
+        |> Ecto.Changeset.add_error(:email, "registration is invite only.")
+        |> Map.put(:action, :validate)
+
+      render(conn, :new, changeset: changeset)
+    else
+      case Accounts.register_user(user_params) do
+        {:ok, user} ->
+          {:ok, _} =
+            Accounts.deliver_login_instructions(
+              user,
+              &url(~p"/users/log-in/#{&1}")
+            )
+
+          conn
+          |> put_flash(
+            :info,
+            "An email was sent to #{user.email}, please access it to confirm your account."
+          )
+          |> redirect(to: ~p"/users/log-in")
+
+        {:error, %Ecto.Changeset{} = changeset} ->
+          render(conn, :new, changeset: changeset)
+      end
+    end
+  end
+end

app/lib/firehose_web/controllers/user_registration_html.ex

@@ -0,0 +1,5 @@
+defmodule FirehoseWeb.UserRegistrationHTML do
+  use FirehoseWeb, :html
+
+  embed_templates "user_registration_html/*"
+end

app/lib/firehose_web/controllers/user_registration_html/new.html.heex

@@ -0,0 +1,30 @@
+<div class="mx-auto max-w-sm">
+  <div class="text-center">
+    <.header>
+      Register for an account
+      <:subtitle>
+        Already registered?
+        <.link navigate={~p"/users/log-in"} class="font-semibold text-brand hover:underline">
+          Log in
+        </.link>
+        to your account now.
+      </:subtitle>
+    </.header>
+  </div>
+
+  <.form :let={f} for={@changeset} action={~p"/users/register"}>
+    <.input
+      field={f[:email]}
+      type="email"
+      label="Email"
+      autocomplete="username"
+      spellcheck="false"
+      required
+      phx-mounted={JS.focus()}
+    />
+
+    <.button phx-disable-with="Creating account..." class="btn btn-primary w-full">
+      Create an account
+    </.button>
+  </.form>
+</div>

app/lib/firehose_web/controllers/user_session_controller.ex

@@ -0,0 +1,88 @@
+defmodule FirehoseWeb.UserSessionController do
+  use FirehoseWeb, :controller
+
+  alias Firehose.Accounts
+  alias FirehoseWeb.UserAuth
+
+  def new(conn, _params) do
+    email = get_in(conn.assigns, [:current_scope, Access.key(:user), Access.key(:email)])
+    form = Phoenix.Component.to_form(%{"email" => email}, as: "user")
+
+    render(conn, :new, form: form)
+  end
+
+  # magic link login
+  def create(conn, %{"user" => %{"token" => token} = user_params} = params) do
+    info =
+      case params do
+        %{"_action" => "confirmed"} -> "User confirmed successfully."
+        _ -> "Welcome back!"
+      end
+
+    case Accounts.login_user_by_magic_link(token) do
+      {:ok, {user, _expired_tokens}} ->
+        conn
+        |> put_flash(:info, info)
+        |> UserAuth.log_in_user(user, user_params)
+
+      {:error, :not_found} ->
+        conn
+        |> put_flash(:error, "The link is invalid or it has expired.")
+        |> render(:new, form: Phoenix.Component.to_form(%{}, as: "user"))
+    end
+  end
+
+  # email + password login
+  def create(conn, %{"user" => %{"email" => email, "password" => password} = user_params}) do
+    if user = Accounts.get_user_by_email_and_password(email, password) do
+      conn
+      |> put_flash(:info, "Welcome back!")
+      |> UserAuth.log_in_user(user, user_params)
+    else
+      form = Phoenix.Component.to_form(user_params, as: "user")
+
+      # In order to prevent user enumeration attacks, don't disclose whether the email is registered.
+      conn
+      |> put_flash(:error, "Invalid email or password")
+      |> render(:new, form: form)
+    end
+  end
+
+  # magic link request
+  def create(conn, %{"user" => %{"email" => email}}) do
+    if user = Accounts.get_user_by_email(email) do
+      Accounts.deliver_login_instructions(
+        user,
+        &url(~p"/users/log-in/#{&1}")
+      )
+    end
+
+    info =
+      "If your email is in our system, you will receive instructions for logging in shortly."
+
+    conn
+    |> put_flash(:info, info)
+    |> redirect(to: ~p"/users/log-in")
+  end
+
+  def confirm(conn, %{"token" => token}) do
+    if user = Accounts.get_user_by_magic_link_token(token) do
+      form = Phoenix.Component.to_form(%{"token" => token}, as: "user")
+
+      conn
+      |> assign(:user, user)
+      |> assign(:form, form)
+      |> render(:confirm)
+    else
+      conn
+      |> put_flash(:error, "Magic link is invalid or it has expired.")
+      |> redirect(to: ~p"/users/log-in")
+    end
+  end
+
+  def delete(conn, _params) do
+    conn
+    |> put_flash(:info, "Logged out successfully.")
+    |> UserAuth.log_out_user()
+  end
+end

app/lib/firehose_web/controllers/user_session_html.ex

@@ -0,0 +1,9 @@
+defmodule FirehoseWeb.UserSessionHTML do
+  use FirehoseWeb, :html
+
+  embed_templates "user_session_html/*"
+
+  defp local_mail_adapter? do
+    Application.get_env(:firehose, Firehose.Mailer)[:adapter] == Swoosh.Adapters.Local
+  end
+end

app/lib/firehose_web/controllers/user_session_html/confirm.html.heex

@@ -0,0 +1,57 @@
+<div class="mx-auto max-w-sm">
+  <div class="text-center">
+    <.header>Welcome {@user.email}</.header>
+  </div>
+
+  <.form
+    :if={!@user.confirmed_at}
+    for={@form}
+    id="confirmation_form"
+    action={~p"/users/log-in?_action=confirmed"}
+    phx-mounted={JS.focus_first()}
+  >
+    <input type="hidden" name={@form[:token].name} value={@form[:token].value} />
+    <.button
+      name={@form[:remember_me].name}
+      value="true"
+      phx-disable-with="Confirming..."
+      class="btn btn-primary w-full"
+    >
+      Confirm and stay logged in
+    </.button>
+    <.button phx-disable-with="Confirming..." class="btn btn-primary btn-soft w-full mt-2">
+      Confirm and log in only this time
+    </.button>
+  </.form>
+
+  <.form
+    :if={@user.confirmed_at}
+    for={@form}
+    id="login_form"
+    action={~p"/users/log-in"}
+    phx-mounted={JS.focus_first()}
+  >
+    <input type="hidden" name={@form[:token].name} value={@form[:token].value} />
+    <%= if @current_scope do %>
+      <.button variant="primary" phx-disable-with="Logging in..." class="btn btn-primary w-full">
+        Log in
+      </.button>
+    <% else %>
+      <.button
+        name={@form[:remember_me].name}
+        value="true"
+        phx-disable-with="Logging in..."
+        class="btn btn-primary w-full"
+      >
+        Keep me logged in on this device
+      </.button>
+      <.button phx-disable-with="Logging in..." class="btn btn-primary btn-soft w-full mt-2">
+        Log me in only this time
+      </.button>
+    <% end %>
+  </.form>
+
+  <p :if={!@user.confirmed_at} class="alert alert-outline mt-8">
+    Tip: If you prefer passwords, you can enable them in the user settings.
+  </p>
+</div>

app/lib/firehose_web/controllers/user_session_html/new.html.heex

@@ -0,0 +1,71 @@
+<div class="mx-auto max-w-sm space-y-4">
+  <div class="text-center">
+    <.header>
+      <p>Log in</p>
+      <:subtitle>
+        <%= if @current_scope do %>
+          You need to reauthenticate to perform sensitive actions on your account.
+        <% else %>
+          Don't have an account? <.link
+            navigate={~p"/users/register"}
+            class="font-semibold text-brand hover:underline"
+            phx-no-format
+          >Sign up</.link> for an account now.
+        <% end %>
+      </:subtitle>
+    </.header>
+  </div>
+
+  <div :if={local_mail_adapter?()} class="alert alert-info">
+    <.icon name="hero-information-circle" class="size-6 shrink-0" />
+    <div>
+      <p>You are running the local mail adapter.</p>
+      <p>
+        To see sent emails, visit <.link href="/dev/mailbox" class="underline">the mailbox page</.link>.
+      </p>
+    </div>
+  </div>
+
+  <.form :let={f} for={@form} as={:user} id="login_form_magic" action={~p"/users/log-in"}>
+    <.input
+      readonly={!!@current_scope}
+      field={f[:email]}
+      type="email"
+      label="Email"
+      autocomplete="username"
+      spellcheck="false"
+      required
+      phx-mounted={JS.focus()}
+    />
+    <.button class="btn btn-primary w-full">
+      Log in with email <span aria-hidden="true">→</span>
+    </.button>
+  </.form>
+
+  <div class="divider">or</div>
+
+  <.form :let={f} for={@form} as={:user} id="login_form_password" action={~p"/users/log-in"}>
+    <.input
+      readonly={!!@current_scope}
+      field={f[:email]}
+      type="email"
+      label="Email"
+      autocomplete="username"
+      spellcheck="false"
+      required
+    />
+    <.input
+      field={f[:password]}
+      type="password"
+      label="Password"
+      autocomplete="current-password"
+      spellcheck="false"
+    />
+    <.button class="btn btn-primary w-full" name={@form[:remember_me].name} value="true">
+      Log in and stay logged in <span aria-hidden="true">→</span>
+    </.button>
+    <.button class="btn btn-primary btn-soft w-full mt-2">
+      Log in only this time
+    </.button>
+  </.form>
+</div>

app/lib/firehose_web/controllers/user_settings_controller.ex

@@ -0,0 +1,77 @@
+defmodule FirehoseWeb.UserSettingsController do
+  use FirehoseWeb, :controller
+
+  alias Firehose.Accounts
+  alias FirehoseWeb.UserAuth
+
+  import FirehoseWeb.UserAuth, only: [require_sudo_mode: 2]
+
+  plug :require_sudo_mode
+  plug :assign_email_and_password_changesets
+
+  def edit(conn, _params) do
+    render(conn, :edit)
+  end
+
+  def update(conn, %{"action" => "update_email"} = params) do
+    %{"user" => user_params} = params
+    user = conn.assigns.current_scope.user
+
+    case Accounts.change_user_email(user, user_params) do
+      %{valid?: true} = changeset ->
+        Accounts.deliver_user_update_email_instructions(
+          Ecto.Changeset.apply_action!(changeset, :insert),
+          user.email,
+          &url(~p"/users/settings/confirm-email/#{&1}")
+        )
+
+        conn
+        |> put_flash(
+          :info,
+          "A link to confirm your email change has been sent to the new address."
+        )
+        |> redirect(to: ~p"/users/settings")
+
+      changeset ->
+        render(conn, :edit, email_changeset: %{changeset | action: :insert})
+    end
+  end
+
+  def update(conn, %{"action" => "update_password"} = params) do
+    %{"user" => user_params} = params
+    user = conn.assigns.current_scope.user
+
+    case Accounts.update_user_password(user, user_params) do
+      {:ok, {user, _}} ->
+        conn
+        |> put_flash(:info, "Password updated successfully.")
+        |> put_session(:user_return_to, ~p"/users/settings")
+        |> UserAuth.log_in_user(user)
+
+      {:error, changeset} ->
+        render(conn, :edit, password_changeset: changeset)
+    end
+  end
+
+  def confirm_email(conn, %{"token" => token}) do
+    case Accounts.update_user_email(conn.assigns.current_scope.user, token) do
+      {:ok, _user} ->
+        conn
+        |> put_flash(:info, "Email changed successfully.")
+        |> redirect(to: ~p"/users/settings")
+
+      {:error, _} ->
+        conn
+        |> put_flash(:error, "Email change link is invalid or it has expired.")
+        |> redirect(to: ~p"/users/settings")
+    end
+  end
+
+  defp assign_email_and_password_changesets(conn, _opts) do
+    user = conn.assigns.current_scope.user
+
+    conn
+    |> assign(:email_changeset, Accounts.change_user_email(user))
+    |> assign(:password_changeset, Accounts.change_user_password(user))
+  end
+end

app/lib/firehose_web/controllers/user_settings_html.ex

@@ -0,0 +1,5 @@
+defmodule FirehoseWeb.UserSettingsHTML do
+  use FirehoseWeb, :html
+
+  embed_templates "user_settings_html/*"
+end

app/lib/firehose_web/controllers/user_settings_html/edit.html.heex

@@ -0,0 +1,47 @@
+<div class="text-center">
+  <.header>
+    Account Settings
+    <:subtitle>Manage your account email address and password settings</:subtitle>
+  </.header>
+</div>
+
+<.form :let={f} for={@email_changeset} action={~p"/users/settings"} id="update_email">
+  <input type="hidden" name="action" value="update_email" />
+
+  <.input
+    field={f[:email]}
+    type="email"
+    label="Email"
+    autocomplete="username"
+    spellcheck="false"
+    required
+  />
+
+  <.button variant="primary" phx-disable-with="Changing...">Change Email</.button>
+</.form>
+
+<div class="divider" />
+
+<.form :let={f} for={@password_changeset} action={~p"/users/settings"} id="update_password">
+  <input type="hidden" name="action" value="update_password" />
+
+  <.input
+    field={f[:password]}
+    type="password"
+    label="New password"
+    autocomplete="new-password"
+    spellcheck="false"
+    required
+  />
+  <.input
+    field={f[:password_confirmation]}
+    type="password"
+    label="Confirm new password"
+    autocomplete="new-password"
+    spellcheck="false"
+    required
+  />
+  <.button variant="primary" phx-disable-with="Changing...">
+    Save Password
+  </.button>
+</.form>

app/lib/firehose_web/live/editor_dashboard_live.ex

@@ -0,0 +1,117 @@
+defmodule FirehoseWeb.EditorDashboardLive do
+  use FirehoseWeb, :live_view
+
+  alias Blogex.Post
+
+  @impl true
+  def mount(_params, _session, socket) do
+    all_posts = Blogex.Registry.all_posts_unfiltered()
+
+    drafts =
+      all_posts
+      |> Enum.filter(&(Post.visibility(&1) == :draft))
+      |> Enum.sort_by(& &1.date, {:desc, Date})
+
+    scheduled =
+      all_posts
+      |> Enum.filter(&(Post.visibility(&1) == :scheduled))
+      |> Enum.sort_by(& &1.date, {:asc, Date})
+
+    {:ok,
+     socket
+     |> assign(:page_title, "Editor Dashboard")
+     |> assign(:drafts, drafts)
+     |> assign(:scheduled, scheduled)
+     |> assign(:active_tab, :drafts)}
+  end
+
+  @impl true
+  def render(assigns) do
+    ~H"""
+    <div class="max-w-4xl mx-auto">
+      <h1 class="text-2xl font-bold mb-6">Dashboard</h1>
+
+      <div class="flex gap-4 mb-6 border-b border-zinc-200">
+        <button
+          phx-click="switch_tab"
+          phx-value-tab="drafts"
+          class={[
+            "pb-2 px-1 text-sm font-medium transition-colors",
+            if(@active_tab == :drafts,
+              do: "border-b-2 border-zinc-900 text-zinc-900",
+              else: "text-zinc-500 hover:text-zinc-700"
+            )
+          ]}
+        >
+          Drafts ({length(@drafts)})
+        </button>
+        <button
+          phx-click="switch_tab"
+          phx-value-tab="scheduled"
+          class={[
+            "pb-2 px-1 text-sm font-medium transition-colors",
+            if(@active_tab == :scheduled,
+              do: "border-b-2 border-zinc-900 text-zinc-900",
+              else: "text-zinc-500 hover:text-zinc-700"
+            )
+          ]}
+        >
+          Scheduled ({length(@scheduled)})
+        </button>
+      </div>
+
+      <div id="drafts-tab" class={if(@active_tab != :drafts, do: "hidden")}>
+        <div :if={@drafts == []} class="text-zinc-500 text-sm">No drafts</div>
+        <div :for={post <- @drafts} class="py-4 border-b border-zinc-100 last:border-0">
+          <div class="flex items-center justify-between">
+            <div>
+              <.link
+                navigate={post_path(post)}
+                class="text-base font-medium text-zinc-900 hover:underline"
+              >
+                {post.title}
+              </.link>
+              <div class="text-sm text-zinc-500 mt-1">
+                {post.author} · {Calendar.strftime(post.date, "%b %d, %Y")} ·
+                <span class="text-amber-600 font-medium">Draft</span>
+              </div>
+            </div>
+          </div>
+        </div>
+      </div>
+
+      <div id="scheduled-tab" class={if(@active_tab != :scheduled, do: "hidden")}>
+        <div :if={@scheduled == []} class="text-zinc-500 text-sm">No scheduled posts</div>
+        <div :for={post <- @scheduled} class="py-4 border-b border-zinc-100 last:border-0">
+          <div class="flex items-center justify-between">
+            <div>
+              <.link
+                navigate={post_path(post)}
+                class="text-base font-medium text-zinc-900 hover:underline"
+              >
+                {post.title}
+              </.link>
+              <div class="text-sm text-zinc-500 mt-1">
+                {post.author} · {Calendar.strftime(post.date, "%b %d, %Y")} ·
+                <span class="text-blue-600 font-medium">
+                  {Post.days_until_live(post)} days until live
+                </span>
+              </div>
+            </div>
+          </div>
+        </div>
+      </div>
+    </div>
+    """
+  end
+
+  @impl true
+  def handle_event("switch_tab", %{"tab" => tab}, socket) do
+    {:noreply, assign(socket, :active_tab, String.to_existing_atom(tab))}
+  end
+
+  defp post_path(post) do
+    blog = Blogex.Registry.get_blog!(post.blog)
+    "#{blog.base_path()}/#{post.id}"
+  end
+end

app/lib/firehose_web/router.ex

@@ -1,6 +1,8 @@
 defmodule FirehoseWeb.Router do
   use FirehoseWeb, :router
 
+  import FirehoseWeb.UserAuth
+
   pipeline :browser do
     plug :accepts, ["html"]
     plug :fetch_session
@@ -9,6 +11,7 @@ defmodule FirehoseWeb.Router do
     plug :put_layout, html: {FirehoseWeb.Layouts, :app}
     plug :protect_from_forgery
     plug :put_secure_browser_headers
+    plug :fetch_current_scope_for_user
   end
 
   pipeline :api do
@@ -51,4 +54,35 @@ defmodule FirehoseWeb.Router do
       forward "/mailbox", Plug.Swoosh.MailboxPreview
     end
   end
+
+  ## Authentication routes
+
+  scope "/", FirehoseWeb do
+    pipe_through [:browser, :redirect_if_user_is_authenticated]
+
+    get "/users/register", UserRegistrationController, :new
+    post "/users/register", UserRegistrationController, :create
+  end
+
+  scope "/", FirehoseWeb do
+    pipe_through [:browser, :require_authenticated_user]
+
+    live_session :authenticated_user,
+      on_mount: [{FirehoseWeb.UserAuth, :ensure_authenticated}] do
+      live "/editor/dashboard", EditorDashboardLive
+    end
+
+    get "/users/settings", UserSettingsController, :edit
+    put "/users/settings", UserSettingsController, :update
+    get "/users/settings/confirm-email/:token", UserSettingsController, :confirm_email
+  end
+
+  scope "/", FirehoseWeb do
+    pipe_through [:browser]
+
+    get "/users/log-in", UserSessionController, :new
+    get "/users/log-in/:token", UserSessionController, :confirm
+    post "/users/log-in", UserSessionController, :create
+    delete "/users/log-out", UserSessionController, :delete
+  end
 end

app/lib/firehose_web/user_auth.ex

@@ -0,0 +1,256 @@
+defmodule FirehoseWeb.UserAuth do
+  use FirehoseWeb, :verified_routes
+
+  import Plug.Conn
+  import Phoenix.Controller
+
+  alias Firehose.Accounts
+  alias Firehose.Accounts.Scope
+
+  # Make the remember me cookie valid for 14 days. This should match
+  # the session validity setting in UserToken.
+  @max_cookie_age_in_days 14
+  @remember_me_cookie "_firehose_web_user_remember_me"
+  @remember_me_options [
+    sign: true,
+    max_age: @max_cookie_age_in_days * 24 * 60 * 60,
+    same_site: "Lax"
+  ]
+
+  # How old the session token should be before a new one is issued. When a request is made
+  # with a session token older than this value, then a new session token will be created
+  # and the session and remember-me cookies (if set) will be updated with the new token.
+  # Lowering this value will result in more tokens being created by active users. Increasing
+  # it will result in less time before a session token expires for a user to get issued a new
+  # token. This can be set to a value greater than `@max_cookie_age_in_days` to disable
+  # the reissuing of tokens completely.
+  @session_reissue_age_in_days 7
+
+  @doc """
+  Logs the user in.
+
+  Redirects to the session's `:user_return_to` path
+  or falls back to the `signed_in_path/1`.
+  """
+  def log_in_user(conn, user, params \\ %{}) do
+    user_return_to = get_session(conn, :user_return_to)
+
+    conn
+    |> create_or_extend_session(user, params)
+    |> redirect(to: user_return_to || signed_in_path(conn))
+  end
+
+  @doc """
+  Logs the user out.
+
+  It clears all session data for safety. See renew_session.
+  """
+  def log_out_user(conn) do
+    user_token = get_session(conn, :user_token)
+    user_token && Accounts.delete_user_session_token(user_token)
+
+    if live_socket_id = get_session(conn, :live_socket_id) do
+      FirehoseWeb.Endpoint.broadcast(live_socket_id, "disconnect", %{})
+    end
+
+    conn
+    |> renew_session(nil)
+    |> delete_resp_cookie(@remember_me_cookie, @remember_me_options)
+    |> redirect(to: ~p"/")
+  end
+
+  @doc """
+  Authenticates the user by looking into the session and remember me token.
+
+  Will reissue the session token if it is older than the configured age.
+  """
+  def fetch_current_scope_for_user(conn, _opts) do
+    with {token, conn} <- ensure_user_token(conn),
+         {user, token_inserted_at} <- Accounts.get_user_by_session_token(token) do
+      conn
+      |> assign(:current_scope, Scope.for_user(user))
+      |> maybe_reissue_user_session_token(user, token_inserted_at)
+    else
+      nil -> assign(conn, :current_scope, Scope.for_user(nil))
+    end
+  end
+
+  defp ensure_user_token(conn) do
+    if token = get_session(conn, :user_token) do
+      {token, conn}
+    else
+      conn = fetch_cookies(conn, signed: [@remember_me_cookie])
+
+      if token = conn.cookies[@remember_me_cookie] do
+        {token, conn |> put_token_in_session(token) |> put_session(:user_remember_me, true)}
+      else
+        nil
+      end
+    end
+  end
+
+  # Reissue the session token if it is older than the configured reissue age.
+  defp maybe_reissue_user_session_token(conn, user, token_inserted_at) do
+    token_age = DateTime.diff(DateTime.utc_now(:second), token_inserted_at, :day)
+
+    if token_age >= @session_reissue_age_in_days do
+      create_or_extend_session(conn, user, %{})
+    else
+      conn
+    end
+  end
+
+  # This function is the one responsible for creating session tokens
+  # and storing them safely in the session and cookies. It may be called
+  # either when logging in, during sudo mode, or to renew a session which
+  # will soon expire.
+  #
+  # When the session is created, rather than extended, the renew_session
+  # function will clear the session to avoid fixation attacks. See the
+  # renew_session function to customize this behaviour.
+  defp create_or_extend_session(conn, user, params) do
+    token = Accounts.generate_user_session_token(user)
+    remember_me = get_session(conn, :user_remember_me)
+
+    conn
+    |> renew_session(user)
+    |> put_token_in_session(token)
+    |> maybe_write_remember_me_cookie(token, params, remember_me)
+  end
+
+  # Do not renew session if the user is already logged in
+  # to prevent CSRF errors or data being lost in tabs that are still open
+  defp renew_session(conn, user) when conn.assigns.current_scope.user.id == user.id do
+    conn
+  end
+
+  # This function renews the session ID and erases the whole
+  # session to avoid fixation attacks. If there is any data
+  # in the session you may want to preserve after log in/log out,
+  # you must explicitly fetch the session data before clearing
+  # and then immediately set it after clearing, for example:
+  #
+  #     defp renew_session(conn, _user) do
+  #       delete_csrf_token()
+  #       preferred_locale = get_session(conn, :preferred_locale)
+  #
+  #       conn
+  #       |> configure_session(renew: true)
+  #       |> clear_session()
+  #       |> put_session(:preferred_locale, preferred_locale)
+  #     end
+  #
+  defp renew_session(conn, _user) do
+    delete_csrf_token()
+
+    conn
+    |> configure_session(renew: true)
+    |> clear_session()
+  end
+
+  defp maybe_write_remember_me_cookie(conn, token, %{"remember_me" => "true"}, _),
+    do: write_remember_me_cookie(conn, token)
+
+  defp maybe_write_remember_me_cookie(conn, token, _params, true),
+    do: write_remember_me_cookie(conn, token)
+
+  defp maybe_write_remember_me_cookie(conn, _token, _params, _), do: conn
+
+  defp write_remember_me_cookie(conn, token) do
+    conn
+    |> put_session(:user_remember_me, true)
+    |> put_resp_cookie(@remember_me_cookie, token, @remember_me_options)
+  end
+
+  defp put_token_in_session(conn, token) do
+    put_session(conn, :user_token, token)
+  end
+
+  @doc """
+  Plug for routes that require sudo mode.
+  """
+  def require_sudo_mode(conn, _opts) do
+    if Accounts.sudo_mode?(conn.assigns.current_scope.user, -10) do
+      conn
+    else
+      conn
+      |> put_flash(:error, "You must re-authenticate to access this page.")
+      |> maybe_store_return_to()
+      |> redirect(to: ~p"/users/log-in")
+      |> halt()
+    end
+  end
+
+  @doc """
+  Plug for routes that require the user to not be authenticated.
+  """
+  def redirect_if_user_is_authenticated(conn, _opts) do
+    if conn.assigns.current_scope do
+      conn
+      |> redirect(to: signed_in_path(conn))
+      |> halt()
+    else
+      conn
+    end
+  end
+
+  defp signed_in_path(_conn), do: ~p"/"
+
+  @doc """
+  Plug for routes that require the user to be authenticated.
+  """
+  def require_authenticated_user(conn, _opts) do
+    if conn.assigns.current_scope && conn.assigns.current_scope.user do
+      conn
+    else
+      conn
+      |> put_flash(:error, "You must log in to access this page.")
+      |> maybe_store_return_to()
+      |> redirect(to: ~p"/users/log-in")
+      |> halt()
+    end
+  end
+
+  defp maybe_store_return_to(%{method: "GET"} = conn) do
+    put_session(conn, :user_return_to, current_path(conn))
+  end
+
+  defp maybe_store_return_to(conn), do: conn
+
+  @doc """
+  LiveView on_mount callback that ensures the user is authenticated.
+
+  Used in `live_session` blocks in the router:
+
+      live_session :authenticated, on_mount: [{FirehoseWeb.UserAuth, :ensure_authenticated}] do
+        live "/editor/dashboard", EditorDashboardLive
+      end
+  """
+  def on_mount(:ensure_authenticated, _params, session, socket) do
+    socket = mount_current_scope(socket, session)
+
+    if socket.assigns.current_scope && socket.assigns.current_scope.user do
+      {:cont, socket}
+    else
+      socket =
+        socket
+        |> Phoenix.LiveView.put_flash(:error, "You must log in to access this page.")
+        |> Phoenix.LiveView.redirect(to: ~p"/users/log-in")
+
+      {:halt, socket}
+    end
+  end
+
+  defp mount_current_scope(socket, session) do
+    Phoenix.Component.assign_new(socket, :current_scope, fn ->
+      if token = session["user_token"] do
+        case Accounts.get_user_by_session_token(token) do
+          {user, _token_inserted_at} -> Scope.for_user(user)
+          nil -> Scope.for_user(nil)
+        end
+      else
+        Scope.for_user(nil)
+      end
+    end)
+  end
+end

app/mix.exs

@@ -41,6 +41,7 @@ defmodule Firehose.MixProject do
   # Type `mix help deps` for examples and options.
   defp deps do
     [
+      {:bcrypt_elixir, "~> 3.0"},
       {:phoenix, "~> 1.8.1"},
       {:phoenix_ecto, "~> 4.5"},
       {:ecto_sql, "~> 3.13"},

app/mix.lock

@@ -1,7 +1,9 @@
 %{
   "bandit": {:hex, :bandit, "1.10.3", "1e5d168fa79ec8de2860d1b4d878d97d4fbbe2fdbe7b0a7d9315a4359d1d4bb9", [:mix], [{:hpax, "~> 1.0", [hex: :hpax, repo: "hexpm", optional: false]}, {:plug, "~> 1.18", [hex: :plug, repo: "hexpm", optional: false]}, {:telemetry, "~> 0.4 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}, {:thousand_island, "~> 1.0", [hex: :thousand_island, repo: "hexpm", optional: false]}, {:websock, "~> 0.5", [hex: :websock, repo: "hexpm", optional: false]}], "hexpm", "99a52d909c48db65ca598e1962797659e3c0f1d06e825a50c3d75b74a5e2db18"},
+  "bcrypt_elixir": {:hex, :bcrypt_elixir, "3.3.2", "d50091e3c9492d73e17fc1e1619a9b09d6a5ef99160eb4d736926fd475a16ca3", [:make, :mix], [{:comeonin, "~> 5.3", [hex: :comeonin, repo: "hexpm", optional: false]}, {:elixir_make, "~> 0.6", [hex: :elixir_make, repo: "hexpm", optional: false]}], "hexpm", "471be5151874ae7931911057d1467d908955f93554f7a6cd1b7d804cac8cef53"},
   "bunt": {:hex, :bunt, "1.0.0", "081c2c665f086849e6d57900292b3a161727ab40431219529f13c4ddcf3e7a44", [:mix], [], "hexpm", "dc5f86aa08a5f6fa6b8096f0735c4e76d54ae5c9fa2c143e5a1fc7c1cd9bb6b5"},
   "cc_precompiler": {:hex, :cc_precompiler, "0.1.11", "8c844d0b9fb98a3edea067f94f616b3f6b29b959b6b3bf25fee94ffe34364768", [:mix], [{:elixir_make, "~> 0.7", [hex: :elixir_make, repo: "hexpm", optional: false]}], "hexpm", "3427232caf0835f94680e5bcf082408a70b48ad68a5f5c0b02a3bea9f3a075b9"},
+  "comeonin": {:hex, :comeonin, "5.5.1", "5113e5f3800799787de08a6e0db307133850e635d34e9fab23c70b6501669510", [:mix], [], "hexpm", "65aac8f19938145377cee73973f192c5645873dcf550a8a6b18187d17c13ccdb"},
   "credo": {:hex, :credo, "1.7.17", "f92b6aa5b26301eaa5a35e4d48ebf5aa1e7094ac00ae38f87086c562caf8a22f", [:mix], [{:bunt, "~> 0.2.1 or ~> 1.0", [hex: :bunt, repo: "hexpm", optional: false]}, {:file_system, "~> 0.2 or ~> 1.0", [hex: :file_system, repo: "hexpm", optional: false]}, {:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: false]}], "hexpm", "1eb5645c835f0b6c9b5410f94b5a185057bcf6d62a9c2b476da971cde8749645"},
   "db_connection": {:hex, :db_connection, "2.9.0", "a6a97c5c958a2d7091a58a9be40caf41ab496b0701d21e1d1abff3fa27a7f371", [:mix], [{:telemetry, "~> 0.4 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "17d502eacaf61829db98facf6f20808ed33da6ccf495354a41e64fe42f9c509c"},
   "decimal": {:hex, :decimal, "2.3.0", "3ad6255aa77b4a3c4f818171b12d237500e63525c2fd056699967a3e7ea20f62", [:mix], [], "hexpm", "a4d66355cb29cb47c3cf30e71329e58361cfcb37c34235ef3bf1d7bf3773aeac"},

app/priv/blog/engineering/2099/01-01-future-test-post.md

@@ -0,0 +1,8 @@
+%{
+  title: "Future Test Post",
+  author: "Test Author",
+  tags: ~w(test),
+  description: "A post scheduled for the future"
+}
+---
+This is a future test post.

app/priv/blog/release-notes/2026/04-01-scheduled-publishing.md

@@ -0,0 +1,72 @@
+%{
+  title: "Scheduled Publishing & Author Dashboard",
+  author: "Willem van den Ende",
+  tags: ~w(release features),
+  description: "Future-dated posts stay hidden until their publish date, authors get a dashboard to track drafts and scheduled content, and registration is locked down to invited emails only."
+}
+---
+
+Posts in Firehose are markdown files with a date in the filename. Until now, every published post was immediately visible. That changes today: posts with a future date are now hidden from public views until their date arrives.
+
+This was built in a single session using an agentic dev team -- 12 issues tracked in beads, executed in three parallel phases, producing 232 tests across the blogex library and Phoenix app.
+
+## What changed
+
+### Future-dated posts are hidden from public views
+
+The blog index, tag pages, RSS feeds, and Atom feeds now filter out posts where the date is after today. If you schedule a post for next Tuesday, readers won't see it until then.
+
+![Blog index showing only past-dated posts](/images/scheduled-publishing/scheduled-blog-index.png)
+
+But here's the key design choice: **direct URL access still works**. If you know the slug, you can view the post. This lets authors share preview links with reviewers before the publish date.
+
+![Future post accessible by direct URL](/images/scheduled-publishing/scheduled-direct-access.png)
+
+### Status banners for authors
+
+When you're logged in, draft and scheduled posts show a status banner so you always know what state a post is in. Unauthenticated visitors see nothing -- no clue the post isn't "live" yet.
+
+**Scheduled posts** show a blue banner with the target date:
+
+![Scheduled banner showing target publish date](/images/scheduled-publishing/scheduled-banner-future.png)
+
+**Draft posts** (unpublished) show an amber banner:
+
+![Draft banner on unpublished post](/images/scheduled-publishing/scheduled-banner-draft.png)
+
+### Editor dashboard
+
+A new LiveView at `/editor/dashboard` gives authors a unified view of all non-live content across every blog. Two tabs: drafts and scheduled posts. Scheduled posts show a "days until live" countdown.
+
+![Dashboard drafts tab](/images/scheduled-publishing/scheduled-dashboard.png)
+
+![Dashboard scheduled tab with countdown](/images/scheduled-publishing/scheduled-dashboard-scheduled.png)
+
+The dashboard requires authentication -- unauthenticated users are redirected to the login page.
+
+### Authentication and registration gating
+
+We added `mix phx.gen.auth` for session-based authentication with magic links and password login. Login and registration pages are accessible by direct URL only -- they're intentionally not linked from the public navigation.
+
+Registration is gated to a single email via the `ALLOWED_REGISTRATION_EMAIL` environment variable. Anyone else gets a polite rejection:
+
+![Registration rejected for non-matching email](/images/scheduled-publishing/scheduled-registration-rejected.png)
+
+When the environment variable isn't set, registration is disabled entirely. A demo user (`demo@example.com`) is seeded in dev for local testing.
+
+## How it was built
+
+The feature was planned as an [Allium specification](https://github.com/your-org/allium) with surfaces, rules, and domain entities, then broken into 12 beads (issues) across three phases:
+
+1. **Scheduled posts** (5 beads): date filtering in blogex, unfiltered direct access, feed/router verification
+2. **Authentication** (3 beads): phx.gen.auth scaffolding, registration gating, dev seed
+3. **Dashboard** (4 beads): post visibility helpers, unfiltered registry access, LiveView dashboard, status banners
+
+All 12 beads were executed with parallel agentic workers in isolated git worktrees, then merged and integrated on main. The demo caught one bug (auth check using `current_user` instead of `current_scope`) which was fixed before this post.
+
+## By the numbers
+
+- **232 tests** passing (89 blogex + 143 Phoenix app)
+- **12 beads** planned, executed, and closed
+- **3 phases** run with parallel workers
+- **0 compiler warnings**

app/priv/repo/migrations/20260401201722_create_users_auth_tables.exs

@@ -0,0 +1,30 @@
+defmodule Firehose.Repo.Migrations.CreateUsersAuthTables do
+  use Ecto.Migration
+
+  def change do
+    execute "CREATE EXTENSION IF NOT EXISTS citext", ""
+
+    create table(:users) do
+      add :email, :citext, null: false
+      add :hashed_password, :string
+      add :confirmed_at, :utc_datetime
+
+      timestamps(type: :utc_datetime)
+    end
+
+    create unique_index(:users, [:email])
+
+    create table(:users_tokens) do
+      add :user_id, references(:users, on_delete: :delete_all), null: false
+      add :token, :binary, null: false
+      add :context, :string, null: false
+      add :sent_to, :string
+      add :authenticated_at, :utc_datetime
+
+      timestamps(type: :utc_datetime, updated_at: false)
+    end
+
+    create index(:users_tokens, [:user_id])
+    create unique_index(:users_tokens, [:context, :token])
+  end
+end

app/priv/repo/seeds.exs

@@ -9,3 +9,13 @@
 #
 # We recommend using the bang functions (`insert!`, `update!`
 # and so on) as they will fail if something goes wrong.
+
+if Mix.env() == :dev do
+  alias Firehose.Accounts
+
+  # Create demo user if not already present
+  unless Accounts.get_user_by_email("demo@example.com") do
+    {:ok, user} = Accounts.register_user(%{email: "demo@example.com"})
+    {:ok, {_user, _tokens}} = Accounts.update_user_password(user, %{password: "password123!"})
+  end
+end

app/test/firehose/accounts_test.exs

@@ -0,0 +1,397 @@
+defmodule Firehose.AccountsTest do
+  use Firehose.DataCase
+
+  alias Firehose.Accounts
+
+  import Firehose.AccountsFixtures
+  alias Firehose.Accounts.{User, UserToken}
+
+  describe "get_user_by_email/1" do
+    test "does not return the user if the email does not exist" do
+      refute Accounts.get_user_by_email("unknown@example.com")
+    end
+
+    test "returns the user if the email exists" do
+      %{id: id} = user = user_fixture()
+      assert %User{id: ^id} = Accounts.get_user_by_email(user.email)
+    end
+  end
+
+  describe "get_user_by_email_and_password/2" do
+    test "does not return the user if the email does not exist" do
+      refute Accounts.get_user_by_email_and_password("unknown@example.com", "hello world!")
+    end
+
+    test "does not return the user if the password is not valid" do
+      user = user_fixture() |> set_password()
+      refute Accounts.get_user_by_email_and_password(user.email, "invalid")
+    end
+
+    test "returns the user if the email and password are valid" do
+      %{id: id} = user = user_fixture() |> set_password()
+
+      assert %User{id: ^id} =
+               Accounts.get_user_by_email_and_password(user.email, valid_user_password())
+    end
+  end
+
+  describe "get_user!/1" do
+    test "raises if id is invalid" do
+      assert_raise Ecto.NoResultsError, fn ->
+        Accounts.get_user!(-1)
+      end
+    end
+
+    test "returns the user with the given id" do
+      %{id: id} = user = user_fixture()
+      assert %User{id: ^id} = Accounts.get_user!(user.id)
+    end
+  end
+
+  describe "register_user/1" do
+    test "requires email to be set" do
+      {:error, changeset} = Accounts.register_user(%{})
+
+      assert %{email: ["can't be blank"]} = errors_on(changeset)
+    end
+
+    test "validates email when given" do
+      {:error, changeset} = Accounts.register_user(%{email: "not valid"})
+
+      assert %{email: ["must have the @ sign and no spaces"]} = errors_on(changeset)
+    end
+
+    test "validates maximum values for email for security" do
+      too_long = String.duplicate("db", 100)
+      {:error, changeset} = Accounts.register_user(%{email: too_long})
+      assert "should be at most 160 character(s)" in errors_on(changeset).email
+    end
+
+    test "validates email uniqueness" do
+      %{email: email} = user_fixture()
+      {:error, changeset} = Accounts.register_user(%{email: email})
+      assert "has already been taken" in errors_on(changeset).email
+
+      # Now try with the uppercased email too, to check that email case is ignored.
+      {:error, changeset} = Accounts.register_user(%{email: String.upcase(email)})
+      assert "has already been taken" in errors_on(changeset).email
+    end
+
+    test "registers users without password" do
+      email = unique_user_email()
+      {:ok, user} = Accounts.register_user(valid_user_attributes(email: email))
+      assert user.email == email
+      assert is_nil(user.hashed_password)
+      assert is_nil(user.confirmed_at)
+      assert is_nil(user.password)
+    end
+  end
+
+  describe "sudo_mode?/2" do
+    test "validates the authenticated_at time" do
+      now = DateTime.utc_now()
+
+      assert Accounts.sudo_mode?(%User{authenticated_at: DateTime.utc_now()})
+      assert Accounts.sudo_mode?(%User{authenticated_at: DateTime.add(now, -19, :minute)})
+      refute Accounts.sudo_mode?(%User{authenticated_at: DateTime.add(now, -21, :minute)})
+
+      # minute override
+      refute Accounts.sudo_mode?(
+               %User{authenticated_at: DateTime.add(now, -11, :minute)},
+               -10
+             )
+
+      # not authenticated
+      refute Accounts.sudo_mode?(%User{})
+    end
+  end
+
+  describe "change_user_email/3" do
+    test "returns a user changeset" do
+      assert %Ecto.Changeset{} = changeset = Accounts.change_user_email(%User{})
+      assert changeset.required == [:email]
+    end
+  end
+
+  describe "deliver_user_update_email_instructions/3" do
+    setup do
+      %{user: user_fixture()}
+    end
+
+    test "sends token through notification", %{user: user} do
+      token =
+        extract_user_token(fn url ->
+          Accounts.deliver_user_update_email_instructions(user, "current@example.com", url)
+        end)
+
+      {:ok, token} = Base.url_decode64(token, padding: false)
+      assert user_token = Repo.get_by(UserToken, token: :crypto.hash(:sha256, token))
+      assert user_token.user_id == user.id
+      assert user_token.sent_to == user.email
+      assert user_token.context == "change:current@example.com"
+    end
+  end
+
+  describe "update_user_email/2" do
+    setup do
+      user = unconfirmed_user_fixture()
+      email = unique_user_email()
+
+      token =
+        extract_user_token(fn url ->
+          Accounts.deliver_user_update_email_instructions(%{user | email: email}, user.email, url)
+        end)
+
+      %{user: user, token: token, email: email}
+    end
+
+    test "updates the email with a valid token", %{user: user, token: token, email: email} do
+      assert {:ok, %{email: ^email}} = Accounts.update_user_email(user, token)
+      changed_user = Repo.get!(User, user.id)
+      assert changed_user.email != user.email
+      assert changed_user.email == email
+      refute Repo.get_by(UserToken, user_id: user.id)
+    end
+
+    test "does not update email with invalid token", %{user: user} do
+      assert Accounts.update_user_email(user, "oops") ==
+               {:error, :transaction_aborted}
+
+      assert Repo.get!(User, user.id).email == user.email
+      assert Repo.get_by(UserToken, user_id: user.id)
+    end
+
+    test "does not update email if user email changed", %{user: user, token: token} do
+      assert Accounts.update_user_email(%{user | email: "current@example.com"}, token) ==
+               {:error, :transaction_aborted}
+
+      assert Repo.get!(User, user.id).email == user.email
+      assert Repo.get_by(UserToken, user_id: user.id)
+    end
+
+    test "does not update email if token expired", %{user: user, token: token} do
+      {1, nil} = Repo.update_all(UserToken, set: [inserted_at: ~N[2020-01-01 00:00:00]])
+
+      assert Accounts.update_user_email(user, token) ==
+               {:error, :transaction_aborted}
+
+      assert Repo.get!(User, user.id).email == user.email
+      assert Repo.get_by(UserToken, user_id: user.id)
+    end
+  end
+
+  describe "change_user_password/3" do
+    test "returns a user changeset" do
+      assert %Ecto.Changeset{} = changeset = Accounts.change_user_password(%User{})
+      assert changeset.required == [:password]
+    end
+
+    test "allows fields to be set" do
+      changeset =
+        Accounts.change_user_password(
+          %User{},
+          %{
+            "password" => "new valid password"
+          },
+          hash_password: false
+        )
+
+      assert changeset.valid?
+      assert get_change(changeset, :password) == "new valid password"
+      assert is_nil(get_change(changeset, :hashed_password))
+    end
+  end
+
+  describe "update_user_password/2" do
+    setup do
+      %{user: user_fixture()}
+    end
+
+    test "validates password", %{user: user} do
+      {:error, changeset} =
+        Accounts.update_user_password(user, %{
+          password: "not valid",
+          password_confirmation: "another"
+        })
+
+      assert %{
+               password: ["should be at least 12 character(s)"],
+               password_confirmation: ["does not match password"]
+             } = errors_on(changeset)
+    end
+
+    test "validates maximum values for password for security", %{user: user} do
+      too_long = String.duplicate("db", 100)
+
+      {:error, changeset} =
+        Accounts.update_user_password(user, %{password: too_long})
+
+      assert "should be at most 72 character(s)" in errors_on(changeset).password
+    end
+
+    test "updates the password", %{user: user} do
+      {:ok, {user, expired_tokens}} =
+        Accounts.update_user_password(user, %{
+          password: "new valid password"
+        })
+
+      assert expired_tokens == []
+      assert is_nil(user.password)
+      assert Accounts.get_user_by_email_and_password(user.email, "new valid password")
+    end
+
+    test "deletes all tokens for the given user", %{user: user} do
+      _ = Accounts.generate_user_session_token(user)
+
+      {:ok, {_, _}} =
+        Accounts.update_user_password(user, %{
+          password: "new valid password"
+        })
+
+      refute Repo.get_by(UserToken, user_id: user.id)
+    end
+  end
+
+  describe "generate_user_session_token/1" do
+    setup do
+      %{user: user_fixture()}
+    end
+
+    test "generates a token", %{user: user} do
+      token = Accounts.generate_user_session_token(user)
+      assert user_token = Repo.get_by(UserToken, token: token)
+      assert user_token.context == "session"
+      assert user_token.authenticated_at != nil
+
+      # Creating the same token for another user should fail
+      assert_raise Ecto.ConstraintError, fn ->
+        Repo.insert!(%UserToken{
+          token: user_token.token,
+          user_id: user_fixture().id,
+          context: "session"
+        })
+      end
+    end
+
+    test "duplicates the authenticated_at of given user in new token", %{user: user} do
+      user = %{user | authenticated_at: DateTime.add(DateTime.utc_now(:second), -3600)}
+      token = Accounts.generate_user_session_token(user)
+      assert user_token = Repo.get_by(UserToken, token: token)
+      assert user_token.authenticated_at == user.authenticated_at
+      assert DateTime.compare(user_token.inserted_at, user.authenticated_at) == :gt
+    end
+  end
+
+  describe "get_user_by_session_token/1" do
+    setup do
+      user = user_fixture()
+      token = Accounts.generate_user_session_token(user)
+      %{user: user, token: token}
+    end
+
+    test "returns user by token", %{user: user, token: token} do
+      assert {session_user, token_inserted_at} = Accounts.get_user_by_session_token(token)
+      assert session_user.id == user.id
+      assert session_user.authenticated_at != nil
+      assert token_inserted_at != nil
+    end
+
+    test "does not return user for invalid token" do
+      refute Accounts.get_user_by_session_token("oops")
+    end
+
+    test "does not return user for expired token", %{token: token} do
+      dt = ~N[2020-01-01 00:00:00]
+      {1, nil} = Repo.update_all(UserToken, set: [inserted_at: dt, authenticated_at: dt])
+      refute Accounts.get_user_by_session_token(token)
+    end
+  end
+
+  describe "get_user_by_magic_link_token/1" do
+    setup do
+      user = user_fixture()
+      {encoded_token, _hashed_token} = generate_user_magic_link_token(user)
+      %{user: user, token: encoded_token}
+    end
+
+    test "returns user by token", %{user: user, token: token} do
+      assert session_user = Accounts.get_user_by_magic_link_token(token)
+      assert session_user.id == user.id
+    end
+
+    test "does not return user for invalid token" do
+      refute Accounts.get_user_by_magic_link_token("oops")
+    end
+
+    test "does not return user for expired token", %{token: token} do
+      {1, nil} = Repo.update_all(UserToken, set: [inserted_at: ~N[2020-01-01 00:00:00]])
+      refute Accounts.get_user_by_magic_link_token(token)
+    end
+  end
+
+  describe "login_user_by_magic_link/1" do
+    test "confirms user and expires tokens" do
+      user = unconfirmed_user_fixture()
+      refute user.confirmed_at
+      {encoded_token, hashed_token} = generate_user_magic_link_token(user)
+
+      assert {:ok, {user, [%{token: ^hashed_token}]}} =
+               Accounts.login_user_by_magic_link(encoded_token)
+
+      assert user.confirmed_at
+    end
+
+    test "returns user and (deleted) token for confirmed user" do
+      user = user_fixture()
+      assert user.confirmed_at
+      {encoded_token, _hashed_token} = generate_user_magic_link_token(user)
+      assert {:ok, {^user, []}} = Accounts.login_user_by_magic_link(encoded_token)
+      # one time use only
+      assert {:error, :not_found} = Accounts.login_user_by_magic_link(encoded_token)
+    end
+
+    test "raises when unconfirmed user has password set" do
+      user = unconfirmed_user_fixture()
+      {1, nil} = Repo.update_all(User, set: [hashed_password: "hashed"])
+      {encoded_token, _hashed_token} = generate_user_magic_link_token(user)
+
+      assert_raise RuntimeError, ~r/magic link log in is not allowed/, fn ->
+        Accounts.login_user_by_magic_link(encoded_token)
+      end
+    end
+  end
+
+  describe "delete_user_session_token/1" do
+    test "deletes the token" do
+      user = user_fixture()
+      token = Accounts.generate_user_session_token(user)
+      assert Accounts.delete_user_session_token(token) == :ok
+      refute Accounts.get_user_by_session_token(token)
+    end
+  end
+
+  describe "deliver_login_instructions/2" do
+    setup do
+      %{user: unconfirmed_user_fixture()}
+    end
+
+    test "sends token through notification", %{user: user} do
+      token =
+        extract_user_token(fn url ->
+          Accounts.deliver_login_instructions(user, url)
+        end)
+
+      {:ok, token} = Base.url_decode64(token, padding: false)
+      assert user_token = Repo.get_by(UserToken, token: :crypto.hash(:sha256, token))
+      assert user_token.user_id == user.id
+      assert user_token.sent_to == user.email
+      assert user_token.context == "login"
+    end
+  end
+
+  describe "inspect/2 for the User module" do
+    test "does not include password" do
+      refute inspect(%User{password: "123456"}) =~ "password: \"123456\""
+    end
+  end
+end

app/test/firehose_web/controllers/blog_controller_test.exs

@@ -0,0 +1,73 @@
+defmodule FirehoseWeb.BlogControllerTest do
+  use FirehoseWeb.ConnCase, async: false
+
+  describe "GET /blog/:blog_id (index) - date filtering" do
+    test "does not show future-dated posts", %{conn: conn} do
+      conn = get(conn, ~p"/blog/engineering")
+      html = html_response(conn, 200)
+      refute html =~ "Future Test Post"
+    end
+  end
+
+  describe "GET /blog/:blog_id/:slug (show) - date filtering" do
+    test "still shows a future-dated post by slug", %{conn: conn} do
+      conn = get(conn, ~p"/blog/engineering/future-test-post")
+      assert html_response(conn, 200) =~ "Future Test Post"
+    end
+  end
+
+  describe "GET /blog/:blog_id/tag/:tag - date filtering" do
+    test "excludes future-dated posts from tag page", %{conn: conn} do
+      conn = get(conn, ~p"/blog/engineering/tag/test")
+      html = html_response(conn, 200)
+      refute html =~ "Future Test Post"
+    end
+  end
+
+  describe "GET /blog/:blog_id/:slug - status banners" do
+    setup :register_and_log_in_user
+
+    test "authenticated user sees draft banner on draft post", %{conn: conn} do
+      conn = get(conn, ~p"/blog/engineering/hello-world")
+
+      assert html_response(conn, 200) =~ "Draft"
+      assert conn.resp_body =~ "not published"
+    end
+
+    test "authenticated user sees scheduled banner on future post", %{conn: conn} do
+      conn = get(conn, ~p"/blog/engineering/future-test-post")
+
+      response = html_response(conn, 200)
+      assert response =~ "scheduled for"
+      assert response =~ "January 01, 2099"
+    end
+
+    test "authenticated user sees no banner on live post", %{conn: conn} do
+      conn = get(conn, ~p"/blog/engineering/why-firehose")
+
+      response = html_response(conn, 200)
+      refute response =~ "Draft"
+      refute response =~ "scheduled for"
+    end
+  end
+
+  describe "GET /blog/:blog_id/:slug - no banners for unauthenticated" do
+    test "unauthenticated user sees no banner on draft post", %{conn: conn} do
+      response =
+        conn
+        |> get(~p"/blog/engineering/hello-world")
+        |> html_response(200)
+
+      refute response =~ "post-status-banner"
+    end
+
+    test "unauthenticated user sees no banner on future post", %{conn: conn} do
+      response =
+        conn
+        |> get(~p"/blog/engineering/future-test-post")
+        |> html_response(200)
+
+      refute response =~ "post-status-banner"
+    end
+  end
+end

app/test/firehose_web/controllers/user_registration_controller_test.exs

@@ -0,0 +1,80 @@
+defmodule FirehoseWeb.UserRegistrationControllerTest do
+  use FirehoseWeb.ConnCase, async: true
+
+  import Firehose.AccountsFixtures
+
+  describe "GET /users/register" do
+    test "renders registration page", %{conn: conn} do
+      conn = get(conn, ~p"/users/register")
+      response = html_response(conn, 200)
+      assert response =~ "Register"
+      assert response =~ ~p"/users/log-in"
+      assert response =~ ~p"/users/register"
+    end
+
+    test "redirects if already logged in", %{conn: conn} do
+      conn = conn |> log_in_user(user_fixture()) |> get(~p"/users/register")
+
+      assert redirected_to(conn) == ~p"/"
+    end
+  end
+
+  describe "POST /users/register" do
+    @tag :capture_log
+    test "creates account but does not log in", %{conn: conn} do
+      email = unique_user_email()
+      Application.put_env(:firehose, :allowed_registration_email, email)
+      on_exit(fn -> Application.delete_env(:firehose, :allowed_registration_email) end)
+
+      conn =
+        post(conn, ~p"/users/register", %{
+          "user" => valid_user_attributes(email: email)
+        })
+
+      refute get_session(conn, :user_token)
+      assert redirected_to(conn) == ~p"/users/log-in"
+
+      assert conn.assigns.flash["info"] =~
+               ~r/An email was sent to .*, please access it to confirm your account/
+    end
+
+    test "render errors for invalid data", %{conn: conn} do
+      Application.put_env(:firehose, :allowed_registration_email, "with spaces")
+      on_exit(fn -> Application.delete_env(:firehose, :allowed_registration_email) end)
+
+      conn =
+        post(conn, ~p"/users/register", %{
+          "user" => %{"email" => "with spaces"}
+        })
+
+      response = html_response(conn, 200)
+      assert response =~ "Register"
+      assert response =~ "must have the @ sign and no spaces"
+    end
+  end
+
+  describe "POST /users/register with email gating" do
+    test "succeeds when email matches ALLOWED_REGISTRATION_EMAIL", %{conn: conn} do
+      Application.put_env(:firehose, :allowed_registration_email, "allowed@example.com")
+      on_exit(fn -> Application.delete_env(:firehose, :allowed_registration_email) end)
+
+      conn = post(conn, ~p"/users/register", %{"user" => %{"email" => "allowed@example.com"}})
+      assert Phoenix.Flash.get(conn.assigns.flash, :info) =~ "email was sent"
+    end
+
+    test "fails with invite-only message when email doesn't match", %{conn: conn} do
+      Application.put_env(:firehose, :allowed_registration_email, "allowed@example.com")
+      on_exit(fn -> Application.delete_env(:firehose, :allowed_registration_email) end)
+
+      conn = post(conn, ~p"/users/register", %{"user" => %{"email" => "other@example.com"}})
+      assert html_response(conn, 200) =~ "registration is invite only"
+    end
+
+    test "fails with invite-only message when env var is unset", %{conn: conn} do
+      Application.delete_env(:firehose, :allowed_registration_email)
+
+      conn = post(conn, ~p"/users/register", %{"user" => %{"email" => "anyone@example.com"}})
+      assert html_response(conn, 200) =~ "registration is invite only"
+    end
+  end
+end

app/test/firehose_web/controllers/user_session_controller_test.exs

@@ -0,0 +1,199 @@
+defmodule FirehoseWeb.UserSessionControllerTest do
+  use FirehoseWeb.ConnCase, async: true
+
+  import Firehose.AccountsFixtures
+  alias Firehose.Accounts
+
+  setup do
+    %{unconfirmed_user: unconfirmed_user_fixture(), user: user_fixture()}
+  end
+
+  describe "GET /users/log-in" do
+    test "renders login page", %{conn: conn} do
+      conn = get(conn, ~p"/users/log-in")
+      response = html_response(conn, 200)
+      assert response =~ "Log in"
+      assert response =~ ~p"/users/register"
+      assert response =~ "Log in with email"
+    end
+
+    test "renders login page with email filled in (sudo mode)", %{conn: conn, user: user} do
+      html =
+        conn
+        |> log_in_user(user)
+        |> get(~p"/users/log-in")
+        |> html_response(200)
+
+      assert html =~ "You need to reauthenticate"
+      refute html =~ "Register"
+      assert html =~ "Log in with email"
+
+      assert html =~
+               ~s(<input type="email" name="user[email]" id="login_form_magic_email" value="#{user.email}")
+    end
+
+    test "renders login page (email + password)", %{conn: conn} do
+      conn = get(conn, ~p"/users/log-in?mode=password")
+      response = html_response(conn, 200)
+      assert response =~ "Log in"
+      assert response =~ ~p"/users/register"
+      assert response =~ "Log in with email"
+    end
+  end
+
+  describe "GET /users/log-in/:token" do
+    test "renders confirmation page for unconfirmed user", %{conn: conn, unconfirmed_user: user} do
+      token =
+        extract_user_token(fn url ->
+          Accounts.deliver_login_instructions(user, url)
+        end)
+
+      conn = get(conn, ~p"/users/log-in/#{token}")
+      assert html_response(conn, 200) =~ "Confirm and stay logged in"
+    end
+
+    test "renders login page for confirmed user", %{conn: conn, user: user} do
+      token =
+        extract_user_token(fn url ->
+          Accounts.deliver_login_instructions(user, url)
+        end)
+
+      conn = get(conn, ~p"/users/log-in/#{token}")
+      html = html_response(conn, 200)
+      refute html =~ "Confirm my account"
+      assert html =~ "Keep me logged in on this device"
+    end
+
+    test "raises error for invalid token", %{conn: conn} do
+      conn = get(conn, ~p"/users/log-in/invalid-token")
+      assert redirected_to(conn) == ~p"/users/log-in"
+
+      assert Phoenix.Flash.get(conn.assigns.flash, :error) ==
+               "Magic link is invalid or it has expired."
+    end
+  end
+
+  describe "POST /users/log-in - email and password" do
+    test "logs the user in", %{conn: conn, user: user} do
+      user = set_password(user)
+
+      conn =
+        post(conn, ~p"/users/log-in", %{
+          "user" => %{"email" => user.email, "password" => valid_user_password()}
+        })
+
+      assert get_session(conn, :user_token)
+      assert redirected_to(conn) == ~p"/"
+    end
+
+    test "logs the user in with remember me", %{conn: conn, user: user} do
+      user = set_password(user)
+
+      conn =
+        post(conn, ~p"/users/log-in", %{
+          "user" => %{
+            "email" => user.email,
+            "password" => valid_user_password(),
+            "remember_me" => "true"
+          }
+        })
+
+      assert conn.resp_cookies["_firehose_web_user_remember_me"]
+      assert redirected_to(conn) == ~p"/"
+    end
+
+    test "logs the user in with return to", %{conn: conn, user: user} do
+      user = set_password(user)
+
+      conn =
+        conn
+        |> init_test_session(user_return_to: "/foo/bar")
+        |> post(~p"/users/log-in", %{
+          "user" => %{
+            "email" => user.email,
+            "password" => valid_user_password()
+          }
+        })
+
+      assert redirected_to(conn) == "/foo/bar"
+      assert Phoenix.Flash.get(conn.assigns.flash, :info) =~ "Welcome back!"
+    end
+
+    test "emits error message with invalid credentials", %{conn: conn, user: user} do
+      conn =
+        post(conn, ~p"/users/log-in?mode=password", %{
+          "user" => %{"email" => user.email, "password" => "invalid_password"}
+        })
+
+      response = html_response(conn, 200)
+      assert response =~ "Log in"
+      assert response =~ "Invalid email or password"
+    end
+  end
+
+  describe "POST /users/log-in - magic link" do
+    test "sends magic link email when user exists", %{conn: conn, user: user} do
+      conn =
+        post(conn, ~p"/users/log-in", %{
+          "user" => %{"email" => user.email}
+        })
+
+      assert Phoenix.Flash.get(conn.assigns.flash, :info) =~ "If your email is in our system"
+      assert Firehose.Repo.get_by!(Accounts.UserToken, user_id: user.id).context == "login"
+    end
+
+    test "logs the user in", %{conn: conn, user: user} do
+      {token, _hashed_token} = generate_user_magic_link_token(user)
+
+      conn =
+        post(conn, ~p"/users/log-in", %{
+          "user" => %{"token" => token}
+        })
+
+      assert get_session(conn, :user_token)
+      assert redirected_to(conn) == ~p"/"
+    end
+
+    test "confirms unconfirmed user", %{conn: conn, unconfirmed_user: user} do
+      {token, _hashed_token} = generate_user_magic_link_token(user)
+      refute user.confirmed_at
+
+      conn =
+        post(conn, ~p"/users/log-in", %{
+          "user" => %{"token" => token},
+          "_action" => "confirmed"
+        })
+
+      assert get_session(conn, :user_token)
+      assert redirected_to(conn) == ~p"/"
+      assert Phoenix.Flash.get(conn.assigns.flash, :info) =~ "User confirmed successfully."
+
+      assert Accounts.get_user!(user.id).confirmed_at
+    end
+
+    test "emits error message when magic link is invalid", %{conn: conn} do
+      conn =
+        post(conn, ~p"/users/log-in", %{
+          "user" => %{"token" => "invalid"}
+        })
+
+      assert html_response(conn, 200) =~ "The link is invalid or it has expired."
+    end
+  end
+
+  describe "DELETE /users/log-out" do
+    test "logs the user out", %{conn: conn, user: user} do
+      conn = conn |> log_in_user(user) |> delete(~p"/users/log-out")
+      assert redirected_to(conn) == ~p"/"
+      refute get_session(conn, :user_token)
+      assert Phoenix.Flash.get(conn.assigns.flash, :info) =~ "Logged out successfully"
+    end
+
+    test "succeeds even if the user is not logged in", %{conn: conn} do
+      conn = delete(conn, ~p"/users/log-out")
+      assert redirected_to(conn) == ~p"/"
+      refute get_session(conn, :user_token)
+      assert Phoenix.Flash.get(conn.assigns.flash, :info) =~ "Logged out successfully"
+    end
+  end
+end

app/test/firehose_web/controllers/user_settings_controller_test.exs

@@ -0,0 +1,148 @@
+defmodule FirehoseWeb.UserSettingsControllerTest do
+  use FirehoseWeb.ConnCase, async: true
+
+  alias Firehose.Accounts
+  import Firehose.AccountsFixtures
+
+  setup :register_and_log_in_user
+
+  describe "GET /users/settings" do
+    test "renders settings page", %{conn: conn} do
+      conn = get(conn, ~p"/users/settings")
+      response = html_response(conn, 200)
+      assert response =~ "Settings"
+    end
+
+    test "redirects if user is not logged in" do
+      conn = build_conn()
+      conn = get(conn, ~p"/users/settings")
+      assert redirected_to(conn) == ~p"/users/log-in"
+    end
+
+    @tag token_authenticated_at: DateTime.add(DateTime.utc_now(:second), -11, :minute)
+    test "redirects if user is not in sudo mode", %{conn: conn} do
+      conn = get(conn, ~p"/users/settings")
+      assert redirected_to(conn) == ~p"/users/log-in"
+
+      assert Phoenix.Flash.get(conn.assigns.flash, :error) ==
+               "You must re-authenticate to access this page."
+    end
+  end
+
+  describe "PUT /users/settings (change password form)" do
+    test "updates the user password and resets tokens", %{conn: conn, user: user} do
+      new_password_conn =
+        put(conn, ~p"/users/settings", %{
+          "action" => "update_password",
+          "user" => %{
+            "password" => "new valid password",
+            "password_confirmation" => "new valid password"
+          }
+        })
+
+      assert redirected_to(new_password_conn) == ~p"/users/settings"
+
+      assert get_session(new_password_conn, :user_token) != get_session(conn, :user_token)
+
+      assert Phoenix.Flash.get(new_password_conn.assigns.flash, :info) =~
+               "Password updated successfully"
+
+      assert Accounts.get_user_by_email_and_password(user.email, "new valid password")
+    end
+
+    test "does not update password on invalid data", %{conn: conn} do
+      old_password_conn =
+        put(conn, ~p"/users/settings", %{
+          "action" => "update_password",
+          "user" => %{
+            "password" => "too short",
+            "password_confirmation" => "does not match"
+          }
+        })
+
+      response = html_response(old_password_conn, 200)
+      assert response =~ "Settings"
+      assert response =~ "should be at least 12 character(s)"
+      assert response =~ "does not match password"
+
+      assert get_session(old_password_conn, :user_token) == get_session(conn, :user_token)
+    end
+  end
+
+  describe "PUT /users/settings (change email form)" do
+    @tag :capture_log
+    test "updates the user email", %{conn: conn, user: user} do
+      conn =
+        put(conn, ~p"/users/settings", %{
+          "action" => "update_email",
+          "user" => %{"email" => unique_user_email()}
+        })
+
+      assert redirected_to(conn) == ~p"/users/settings"
+
+      assert Phoenix.Flash.get(conn.assigns.flash, :info) =~
+               "A link to confirm your email"
+
+      assert Accounts.get_user_by_email(user.email)
+    end
+
+    test "does not update email on invalid data", %{conn: conn} do
+      conn =
+        put(conn, ~p"/users/settings", %{
+          "action" => "update_email",
+          "user" => %{"email" => "with spaces"}
+        })
+
+      response = html_response(conn, 200)
+      assert response =~ "Settings"
+      assert response =~ "must have the @ sign and no spaces"
+    end
+  end
+
+  describe "GET /users/settings/confirm-email/:token" do
+    setup %{user: user} do
+      email = unique_user_email()
+
+      token =
+        extract_user_token(fn url ->
+          Accounts.deliver_user_update_email_instructions(%{user | email: email}, user.email, url)
+        end)
+
+      %{token: token, email: email}
+    end
+
+    test "updates the user email once", %{conn: conn, user: user, token: token, email: email} do
+      conn = get(conn, ~p"/users/settings/confirm-email/#{token}")
+      assert redirected_to(conn) == ~p"/users/settings"
+
+      assert Phoenix.Flash.get(conn.assigns.flash, :info) =~
+               "Email changed successfully"
+
+      refute Accounts.get_user_by_email(user.email)
+      assert Accounts.get_user_by_email(email)
+
+      conn = get(conn, ~p"/users/settings/confirm-email/#{token}")
+
+      assert redirected_to(conn) == ~p"/users/settings"
+
+      assert Phoenix.Flash.get(conn.assigns.flash, :error) =~
+               "Email change link is invalid or it has expired"
+    end
+
+    test "does not update email with invalid token", %{conn: conn, user: user} do
+      conn = get(conn, ~p"/users/settings/confirm-email/oops")
+      assert redirected_to(conn) == ~p"/users/settings"
+
+      assert Phoenix.Flash.get(conn.assigns.flash, :error) =~
+               "Email change link is invalid or it has expired"
+
+      assert Accounts.get_user_by_email(user.email)
+    end
+
+    test "redirects if user is not logged in", %{token: token} do
+      conn = build_conn()
+      conn = get(conn, ~p"/users/settings/confirm-email/#{token}")
+      assert redirected_to(conn) == ~p"/users/log-in"
+    end
+  end
+end

app/test/firehose_web/live/editor_dashboard_live_test.exs

@@ -0,0 +1,88 @@
+defmodule FirehoseWeb.EditorDashboardLiveTest do
+  use FirehoseWeb.ConnCase, async: true
+
+  import Phoenix.LiveViewTest
+
+  setup do
+    posts = [
+      %Blogex.Post{
+        id: "live-post",
+        title: "Live Post",
+        author: "Test Author",
+        body: "<p>Body</p>",
+        description: "A live post",
+        date: ~D[2020-01-01],
+        published: true,
+        blog: :test_blog,
+        tags: []
+      },
+      %Blogex.Post{
+        id: "draft-post",
+        title: "Draft Post",
+        author: "Test Author",
+        body: "<p>Body</p>",
+        description: "A draft post",
+        date: ~D[2026-03-12],
+        published: false,
+        blog: :test_blog,
+        tags: []
+      },
+      %Blogex.Post{
+        id: "scheduled-post",
+        title: "Scheduled Post",
+        author: "Test Author",
+        body: "<p>Body</p>",
+        description: "A scheduled post",
+        date: ~D[2099-06-15],
+        published: true,
+        blog: :test_blog,
+        tags: ["future"]
+      }
+    ]
+
+    {:ok, _} =
+      Firehose.Test.FakeBlog.start(posts,
+        blog_id: :test_blog,
+        title: "Test Blog",
+        base_path: "/blog/test"
+      )
+
+    Application.put_env(:blogex, :blogs, [Firehose.Test.FakeBlog])
+    on_exit(fn -> Application.delete_env(:blogex, :blogs) end)
+
+    :ok
+  end
+
+  describe "unauthenticated" do
+    test "redirects to login", %{conn: conn} do
+      assert {:error, redirect} = live(conn, ~p"/editor/dashboard")
+      assert {:redirect, %{to: to}} = redirect
+      assert to =~ "/users/log-in"
+    end
+  end
+
+  describe "authenticated" do
+    setup :register_and_log_in_user
+
+    test "renders the dashboard", %{conn: conn} do
+      {:ok, _view, html} = live(conn, ~p"/editor/dashboard")
+      assert html =~ "Dashboard"
+    end
+
+    test "shows draft posts", %{conn: conn} do
+      {:ok, _view, html} = live(conn, ~p"/editor/dashboard")
+      assert html =~ "Draft Post"
+    end
+
+    test "shows scheduled posts with days until live", %{conn: conn} do
+      {:ok, _view, html} = live(conn, ~p"/editor/dashboard")
+      assert html =~ "Scheduled Post"
+      assert html =~ "days"
+    end
+
+    test "does not show live posts", %{conn: conn} do
+      {:ok, _view, html} = live(conn, ~p"/editor/dashboard")
+      refute html =~ "Live Post"
+    end
+  end
+end

app/test/firehose_web/user_auth_test.exs

@@ -0,0 +1,293 @@
+defmodule FirehoseWeb.UserAuthTest do
+  use FirehoseWeb.ConnCase, async: true
+
+  alias Firehose.Accounts
+  alias Firehose.Accounts.Scope
+  alias FirehoseWeb.UserAuth
+
+  import Firehose.AccountsFixtures
+
+  @remember_me_cookie "_firehose_web_user_remember_me"
+  @remember_me_cookie_max_age 60 * 60 * 24 * 14
+
+  setup %{conn: conn} do
+    conn =
+      conn
+      |> Map.replace!(:secret_key_base, FirehoseWeb.Endpoint.config(:secret_key_base))
+      |> init_test_session(%{})
+
+    %{user: %{user_fixture() | authenticated_at: DateTime.utc_now(:second)}, conn: conn}
+  end
+
+  describe "log_in_user/3" do
+    test "stores the user token in the session", %{conn: conn, user: user} do
+      conn = UserAuth.log_in_user(conn, user)
+      assert token = get_session(conn, :user_token)
+      assert redirected_to(conn) == ~p"/"
+      assert Accounts.get_user_by_session_token(token)
+    end
+
+    test "clears everything previously stored in the session", %{conn: conn, user: user} do
+      conn = conn |> put_session(:to_be_removed, "value") |> UserAuth.log_in_user(user)
+      refute get_session(conn, :to_be_removed)
+    end
+
+    test "keeps session when re-authenticating", %{conn: conn, user: user} do
+      conn =
+        conn
+        |> assign(:current_scope, Scope.for_user(user))
+        |> put_session(:to_be_removed, "value")
+        |> UserAuth.log_in_user(user)
+
+      assert get_session(conn, :to_be_removed)
+    end
+
+    test "clears session when user does not match when re-authenticating", %{
+      conn: conn,
+      user: user
+    } do
+      other_user = user_fixture()
+
+      conn =
+        conn
+        |> assign(:current_scope, Scope.for_user(other_user))
+        |> put_session(:to_be_removed, "value")
+        |> UserAuth.log_in_user(user)
+
+      refute get_session(conn, :to_be_removed)
+    end
+
+    test "redirects to the configured path", %{conn: conn, user: user} do
+      conn = conn |> put_session(:user_return_to, "/hello") |> UserAuth.log_in_user(user)
+      assert redirected_to(conn) == "/hello"
+    end
+
+    test "writes a cookie if remember_me is configured", %{conn: conn, user: user} do
+      conn = conn |> fetch_cookies() |> UserAuth.log_in_user(user, %{"remember_me" => "true"})
+      assert get_session(conn, :user_token) == conn.cookies[@remember_me_cookie]
+      assert get_session(conn, :user_remember_me) == true
+
+      assert %{value: signed_token, max_age: max_age} = conn.resp_cookies[@remember_me_cookie]
+      assert signed_token != get_session(conn, :user_token)
+      assert max_age == @remember_me_cookie_max_age
+    end
+
+    test "writes a cookie if remember_me was set in previous session", %{conn: conn, user: user} do
+      conn = conn |> fetch_cookies() |> UserAuth.log_in_user(user, %{"remember_me" => "true"})
+      assert get_session(conn, :user_token) == conn.cookies[@remember_me_cookie]
+      assert get_session(conn, :user_remember_me) == true
+
+      conn =
+        conn
+        |> recycle()
+        |> Map.replace!(:secret_key_base, FirehoseWeb.Endpoint.config(:secret_key_base))
+        |> fetch_cookies()
+        |> init_test_session(%{user_remember_me: true})
+
+      # the conn is already logged in and has the remember_me cookie set,
+      # now we log in again and even without explicitly setting remember_me,
+      # the cookie should be set again
+      conn = conn |> UserAuth.log_in_user(user, %{})
+      assert %{value: signed_token, max_age: max_age} = conn.resp_cookies[@remember_me_cookie]
+      assert signed_token != get_session(conn, :user_token)
+      assert max_age == @remember_me_cookie_max_age
+      assert get_session(conn, :user_remember_me) == true
+    end
+  end
+
+  describe "logout_user/1" do
+    test "erases session and cookies", %{conn: conn, user: user} do
+      user_token = Accounts.generate_user_session_token(user)
+
+      conn =
+        conn
+        |> put_session(:user_token, user_token)
+        |> put_req_cookie(@remember_me_cookie, user_token)
+        |> fetch_cookies()
+        |> UserAuth.log_out_user()
+
+      refute get_session(conn, :user_token)
+      refute conn.cookies[@remember_me_cookie]
+      assert %{max_age: 0} = conn.resp_cookies[@remember_me_cookie]
+      assert redirected_to(conn) == ~p"/"
+      refute Accounts.get_user_by_session_token(user_token)
+    end
+
+    test "works even if user is already logged out", %{conn: conn} do
+      conn = conn |> fetch_cookies() |> UserAuth.log_out_user()
+      refute get_session(conn, :user_token)
+      assert %{max_age: 0} = conn.resp_cookies[@remember_me_cookie]
+      assert redirected_to(conn) == ~p"/"
+    end
+  end
+
+  describe "fetch_current_scope_for_user/2" do
+    test "authenticates user from session", %{conn: conn, user: user} do
+      user_token = Accounts.generate_user_session_token(user)
+
+      conn =
+        conn |> put_session(:user_token, user_token) |> UserAuth.fetch_current_scope_for_user([])
+
+      assert conn.assigns.current_scope.user.id == user.id
+      assert conn.assigns.current_scope.user.authenticated_at == user.authenticated_at
+      assert get_session(conn, :user_token) == user_token
+    end
+
+    test "authenticates user from cookies", %{conn: conn, user: user} do
+      logged_in_conn =
+        conn |> fetch_cookies() |> UserAuth.log_in_user(user, %{"remember_me" => "true"})
+
+      user_token = logged_in_conn.cookies[@remember_me_cookie]
+      %{value: signed_token} = logged_in_conn.resp_cookies[@remember_me_cookie]
+
+      conn =
+        conn
+        |> put_req_cookie(@remember_me_cookie, signed_token)
+        |> UserAuth.fetch_current_scope_for_user([])
+
+      assert conn.assigns.current_scope.user.id == user.id
+      assert conn.assigns.current_scope.user.authenticated_at == user.authenticated_at
+      assert get_session(conn, :user_token) == user_token
+      assert get_session(conn, :user_remember_me)
+    end
+
+    test "does not authenticate if data is missing", %{conn: conn, user: user} do
+      _ = Accounts.generate_user_session_token(user)
+      conn = UserAuth.fetch_current_scope_for_user(conn, [])
+      refute get_session(conn, :user_token)
+      refute conn.assigns.current_scope
+    end
+
+    test "reissues a new token after a few days and refreshes cookie", %{conn: conn, user: user} do
+      logged_in_conn =
+        conn |> fetch_cookies() |> UserAuth.log_in_user(user, %{"remember_me" => "true"})
+
+      token = logged_in_conn.cookies[@remember_me_cookie]
+      %{value: signed_token} = logged_in_conn.resp_cookies[@remember_me_cookie]
+
+      offset_user_token(token, -10, :day)
+      {user, _} = Accounts.get_user_by_session_token(token)
+
+      conn =
+        conn
+        |> put_session(:user_token, token)
+        |> put_session(:user_remember_me, true)
+        |> put_req_cookie(@remember_me_cookie, signed_token)
+        |> UserAuth.fetch_current_scope_for_user([])
+
+      assert conn.assigns.current_scope.user.id == user.id
+      assert conn.assigns.current_scope.user.authenticated_at == user.authenticated_at
+      assert new_token = get_session(conn, :user_token)
+      assert new_token != token
+      assert %{value: new_signed_token, max_age: max_age} = conn.resp_cookies[@remember_me_cookie]
+      assert new_signed_token != signed_token
+      assert max_age == @remember_me_cookie_max_age
+    end
+  end
+
+  describe "require_sudo_mode/2" do
+    test "allows users that have authenticated in the last 10 minutes", %{conn: conn, user: user} do
+      conn =
+        conn
+        |> fetch_flash()
+        |> assign(:current_scope, Scope.for_user(user))
+        |> UserAuth.require_sudo_mode([])
+
+      refute conn.halted
+      refute conn.status
+    end
+
+    test "redirects when authentication is too old", %{conn: conn, user: user} do
+      eleven_minutes_ago = DateTime.utc_now(:second) |> DateTime.add(-11, :minute)
+      user = %{user | authenticated_at: eleven_minutes_ago}
+      user_token = Accounts.generate_user_session_token(user)
+      {user, token_inserted_at} = Accounts.get_user_by_session_token(user_token)
+      assert DateTime.compare(token_inserted_at, user.authenticated_at) == :gt
+
+      conn =
+        conn
+        |> fetch_flash()
+        |> assign(:current_scope, Scope.for_user(user))
+        |> UserAuth.require_sudo_mode([])
+
+      assert redirected_to(conn) == ~p"/users/log-in"
+
+      assert Phoenix.Flash.get(conn.assigns.flash, :error) ==
+               "You must re-authenticate to access this page."
+    end
+  end
+
+  describe "redirect_if_user_is_authenticated/2" do
+    setup %{conn: conn} do
+      %{conn: UserAuth.fetch_current_scope_for_user(conn, [])}
+    end
+
+    test "redirects if user is authenticated", %{conn: conn, user: user} do
+      conn =
+        conn
+        |> assign(:current_scope, Scope.for_user(user))
+        |> UserAuth.redirect_if_user_is_authenticated([])
+
+      assert conn.halted
+      assert redirected_to(conn) == ~p"/"
+    end
+
+    test "does not redirect if user is not authenticated", %{conn: conn} do
+      conn = UserAuth.redirect_if_user_is_authenticated(conn, [])
+      refute conn.halted
+      refute conn.status
+    end
+  end
+
+  describe "require_authenticated_user/2" do
+    setup %{conn: conn} do
+      %{conn: UserAuth.fetch_current_scope_for_user(conn, [])}
+    end
+
+    test "redirects if user is not authenticated", %{conn: conn} do
+      conn = conn |> fetch_flash() |> UserAuth.require_authenticated_user([])
+      assert conn.halted
+
+      assert redirected_to(conn) == ~p"/users/log-in"
+
+      assert Phoenix.Flash.get(conn.assigns.flash, :error) ==
+               "You must log in to access this page."
+    end
+
+    test "stores the path to redirect to on GET", %{conn: conn} do
+      halted_conn =
+        %{conn | path_info: ["foo"], query_string: ""}
+        |> fetch_flash()
+        |> UserAuth.require_authenticated_user([])
+
+      assert halted_conn.halted
+      assert get_session(halted_conn, :user_return_to) == "/foo"
+
+      halted_conn =
+        %{conn | path_info: ["foo"], query_string: "bar=baz"}
+        |> fetch_flash()
+        |> UserAuth.require_authenticated_user([])
+
+      assert halted_conn.halted
+      assert get_session(halted_conn, :user_return_to) == "/foo?bar=baz"
+
+      halted_conn =
+        %{conn | path_info: ["foo"], query_string: "bar", method: "POST"}
+        |> fetch_flash()
+        |> UserAuth.require_authenticated_user([])
+
+      assert halted_conn.halted
+      refute get_session(halted_conn, :user_return_to)
+    end
+
+    test "does not redirect if user is authenticated", %{conn: conn, user: user} do
+      conn =
+        conn
+        |> assign(:current_scope, Scope.for_user(user))
+        |> UserAuth.require_authenticated_user([])
+
+      refute conn.halted
+      refute conn.status
+    end
+  end
+end

app/test/support/conn_case.ex

@@ -35,4 +35,45 @@ defmodule FirehoseWeb.ConnCase do
     Firehose.DataCase.setup_sandbox(tags)
     {:ok, conn: Phoenix.ConnTest.build_conn()}
   end
+
+  @doc """
+  Setup helper that registers and logs in users.
+
+      setup :register_and_log_in_user
+
+  It stores an updated connection and a registered user in the
+  test context.
+  """
+  def register_and_log_in_user(%{conn: conn} = context) do
+    user = Firehose.AccountsFixtures.user_fixture()
+    scope = Firehose.Accounts.Scope.for_user(user)
+
+    opts =
+      context
+      |> Map.take([:token_authenticated_at])
+      |> Enum.into([])
+
+    %{conn: log_in_user(conn, user, opts), user: user, scope: scope}
+  end
+
+  @doc """
+  Logs the given `user` into the `conn`.
+
+  It returns an updated `conn`.
+  """
+  def log_in_user(conn, user, opts \\ []) do
+    token = Firehose.Accounts.generate_user_session_token(user)
+
+    maybe_set_token_authenticated_at(token, opts[:token_authenticated_at])
+
+    conn
+    |> Phoenix.ConnTest.init_test_session(%{})
+    |> Plug.Conn.put_session(:user_token, token)
+  end
+
+  defp maybe_set_token_authenticated_at(_token, nil), do: nil
+
+  defp maybe_set_token_authenticated_at(token, authenticated_at) do
+    Firehose.AccountsFixtures.override_token_authenticated_at(token, authenticated_at)
+  end
 end

app/test/support/fake_blog.ex

@@ -0,0 +1,65 @@
+defmodule Firehose.Test.FakeBlog do
+  @moduledoc """
+  A test double that implements the blog module interface,
+  backed by an Agent so tests can control the post data.
+  """
+
+  use Agent
+
+  @defaults [
+    blog_id: :test_blog,
+    title: "Test Blog",
+    description: "A blog for tests",
+    base_path: "/blog/test"
+  ]
+
+  def start(posts \\ [], opts \\ []) do
+    opts = Keyword.merge(@defaults, opts)
+
+    state = %{
+      posts: posts,
+      blog_id: opts[:blog_id],
+      title: opts[:title],
+      description: opts[:description],
+      base_path: opts[:base_path]
+    }
+
+    case Agent.start(fn -> state end, name: __MODULE__) do
+      {:ok, pid} ->
+        {:ok, pid}
+
+      {:error, {:already_started, pid}} ->
+        Agent.update(__MODULE__, fn _ -> state end)
+        {:ok, pid}
+    end
+  end
+
+  defp get(key), do: Agent.get(__MODULE__, &Map.fetch!(&1, key))
+
+  def blog_id, do: get(:blog_id)
+  def title, do: get(:title)
+  def description, do: get(:description)
+  def base_path, do: get(:base_path)
+
+  def all_posts_unfiltered do
+    get(:posts)
+    |> Enum.sort_by(& &1.date, {:desc, Date})
+  end
+
+  def unfiltered_posts do
+    all_posts_unfiltered()
+  end
+
+  def all_posts do
+    get(:posts)
+    |> Enum.filter(& &1.published)
+    |> Enum.sort_by(& &1.date, {:desc, Date})
+  end
+
+  def all_tags do
+    all_posts()
+    |> Enum.flat_map(& &1.tags)
+    |> Enum.uniq()
+    |> Enum.sort()
+  end
+end

app/test/support/fixtures/accounts_fixtures.ex

@@ -0,0 +1,89 @@
+defmodule Firehose.AccountsFixtures do
+  @moduledoc """
+  This module defines test helpers for creating
+  entities via the `Firehose.Accounts` context.
+  """
+
+  import Ecto.Query
+
+  alias Firehose.Accounts
+  alias Firehose.Accounts.Scope
+
+  def unique_user_email, do: "user#{System.unique_integer()}@example.com"
+  def valid_user_password, do: "hello world!"
+
+  def valid_user_attributes(attrs \\ %{}) do
+    Enum.into(attrs, %{
+      email: unique_user_email()
+    })
+  end
+
+  def unconfirmed_user_fixture(attrs \\ %{}) do
+    {:ok, user} =
+      attrs
+      |> valid_user_attributes()
+      |> Accounts.register_user()
+
+    user
+  end
+
+  def user_fixture(attrs \\ %{}) do
+    user = unconfirmed_user_fixture(attrs)
+
+    token =
+      extract_user_token(fn url ->
+        Accounts.deliver_login_instructions(user, url)
+      end)
+
+    {:ok, {user, _expired_tokens}} =
+      Accounts.login_user_by_magic_link(token)
+
+    user
+  end
+
+  def user_scope_fixture do
+    user = user_fixture()
+    user_scope_fixture(user)
+  end
+
+  def user_scope_fixture(user) do
+    Scope.for_user(user)
+  end
+
+  def set_password(user) do
+    {:ok, {user, _expired_tokens}} =
+      Accounts.update_user_password(user, %{password: valid_user_password()})
+
+    user
+  end
+
+  def extract_user_token(fun) do
+    {:ok, captured_email} = fun.(&"[TOKEN]#{&1}[TOKEN]")
+    [_, token | _] = String.split(captured_email.text_body, "[TOKEN]")
+    token
+  end
+
+  def override_token_authenticated_at(token, authenticated_at) when is_binary(token) do
+    Firehose.Repo.update_all(
+      from(t in Accounts.UserToken,
+        where: t.token == ^token
+      ),
+      set: [authenticated_at: authenticated_at]
+    )
+  end
+
+  def generate_user_magic_link_token(user) do
+    {encoded_token, user_token} = Accounts.UserToken.build_email_token(user, "login")
+    Firehose.Repo.insert!(user_token)
+    {encoded_token, user_token.token}
+  end
+
+  def offset_user_token(token, amount_to_add, unit) do
+    dt = DateTime.add(DateTime.utc_now(:second), amount_to_add, unit)
+
+    Firehose.Repo.update_all(
+      from(ut in Accounts.UserToken, where: ut.token == ^token),
+      set: [inserted_at: dt, authenticated_at: dt]
+    )
+  end
+end

blogex/lib/blogex.ex

@@ -119,5 +119,6 @@ defmodule Blogex do
   defdelegate get_blog!(blog_id), to: Blogex.Registry
   defdelegate get_blog(blog_id), to: Blogex.Registry
   defdelegate all_posts, to: Blogex.Registry
+  defdelegate all_posts_unfiltered, to: Blogex.Registry
   defdelegate all_tags, to: Blogex.Registry
 end

blogex/lib/blogex/blog.ex

@@ -73,12 +73,17 @@ defmodule Blogex.Blog do
       @doc "Returns the base URL path for this blog."
       def base_path, do: @blog_base_path
 
+      @doc "Returns all compiled posts regardless of published status or date."
+      def unfiltered_posts, do: @posts
+
       @doc "Returns all visible posts, newest first. Drafts are included in dev/test."
       def all_posts do
+        today = Date.utc_today()
+
         if Blogex.show_drafts?() do
-          @posts
+          Enum.filter(@posts, &(not Date.after?(&1.date, today)))
         else
-          Enum.filter(@posts, & &1.published)
+          Enum.filter(@posts, &(&1.published and not Date.after?(&1.date, today)))
         end
       end
 
@@ -86,7 +91,12 @@ defmodule Blogex.Blog do
       def recent_posts(n \\ 5), do: Enum.take(all_posts(), n)
 
       @doc "Returns all unique tags across all published posts."
-      def all_tags, do: @tags
+      def all_tags do
+        all_posts()
+        |> Enum.flat_map(& &1.tags)
+        |> Enum.uniq()
+        |> Enum.sort()
+      end
 
       @doc "Returns all published posts matching the given tag."
       def posts_by_tag(tag) do
@@ -95,13 +105,13 @@ defmodule Blogex.Blog do
 
       @doc "Returns a single post by slug/id, or raises."
       def get_post!(id) do
-        Enum.find(all_posts(), &(&1.id == id)) ||
+        Enum.find(unfiltered_posts(), &(&1.id == id)) ||
           raise Blogex.NotFoundError, "post #{inspect(id)} not found in #{@blog_id}"
       end
 
       @doc "Returns a single post by slug/id, or nil."
       def get_post(id) do
-        Enum.find(all_posts(), &(&1.id == id))
+        Enum.find(unfiltered_posts(), &(&1.id == id))
       end
 
       @doc "Returns paginated posts. Page is 1-indexed."

blogex/lib/blogex/post.ex

@@ -44,6 +44,23 @@ defmodule Blogex.Post do
           published: boolean()
         }
 
+  @type visibility :: :draft | :scheduled | :live
+
+  @doc "Returns the visibility of a post: :draft, :scheduled, or :live."
+  def visibility(%__MODULE__{published: false}), do: :draft
+
+  def visibility(%__MODULE__{published: true, date: date}) do
+    if Date.after?(date, Date.utc_today()), do: :scheduled, else: :live
+  end
+
+  @doc "Returns days until a scheduled post goes live, or nil."
+  def days_until_live(%__MODULE__{} = post) do
+    case visibility(post) do
+      :scheduled -> Date.diff(post.date, Date.utc_today())
+      _ -> nil
+    end
+  end
+
   @doc """
   Build callback for NimblePublisher.
 

blogex/lib/blogex/registry.ex

@@ -37,6 +37,13 @@ defmodule Blogex.Registry do
     |> Enum.sort_by(& &1.date, {:desc, Date})
   end
 
+  @doc "Returns all posts from all blogs (unfiltered), sorted newest first."
+  def all_posts_unfiltered do
+    blogs()
+    |> Enum.flat_map(& &1.unfiltered_posts())
+    |> Enum.sort_by(& &1.date, {:desc, Date})
+  end
+
   @doc "Returns all unique tags across all blogs."
   def all_tags do
     blogs()

blogex/test/blogex/blog_test.exs

@@ -15,6 +15,24 @@ defmodule Blogex.BlogTest do
       assert "draft-post" not in ids
     end
 
+    test "excludes future-dated posts", %{blog: blog} do
+      ids = blog.all_posts() |> Enum.map(& &1.id)
+
+      refute "future-post" in ids
+    end
+
+    test "includes today-dated published posts" do
+      {:ok, _} = FakeBlog.start([
+        build(id: "today", date: Date.utc_today(), published: true),
+        build(id: "tomorrow", date: Date.add(Date.utc_today(), 1), published: true)
+      ])
+
+      ids = FakeBlog.all_posts() |> Enum.map(& &1.id)
+
+      assert "today" in ids
+      refute "tomorrow" in ids
+    end
+
     test "returns posts newest first", %{blog: blog} do
       dates = blog.all_posts() |> Enum.map(& &1.date)
 
@@ -23,6 +41,13 @@ defmodule Blogex.BlogTest do
   end
 
   describe "recent_posts/1" do
+    test "excludes future-dated posts", %{blog: blog} do
+      posts = blog.recent_posts(100)
+      ids = Enum.map(posts, & &1.id)
+
+      refute "future-post" in ids
+    end
+
     test "returns at most n posts", %{blog: blog} do
       assert length(blog.recent_posts(2)) == 2
     end
@@ -35,6 +60,12 @@ defmodule Blogex.BlogTest do
   end
 
   describe "posts_by_tag/1" do
+    test "excludes future-dated posts", %{blog: blog} do
+      posts = blog.posts_by_tag("future-only")
+
+      assert posts == []
+    end
+
     test "returns only posts with the given tag", %{blog: blog} do
       posts = blog.posts_by_tag("testing")
 
@@ -59,6 +90,10 @@ defmodule Blogex.BlogTest do
   end
 
   describe "all_tags/0" do
+    test "excludes tags only on future-dated posts", %{blog: blog} do
+      refute "future-only" in blog.all_tags()
+    end
+
     test "returns unique sorted tags from published posts", %{blog: blog} do
       tags = blog.all_tags()
 
@@ -90,10 +125,14 @@ defmodule Blogex.BlogTest do
       end
     end
 
-    test "raises for draft post id", %{blog: blog} do
-      assert_raise Blogex.NotFoundError, fn ->
-        blog.get_post!("draft-post")
-      end
+    test "returns a future-dated published post by slug", %{blog: blog} do
+      post = blog.get_post!("future-post")
+      assert post.id == "future-post"
+    end
+
+    test "returns a draft post by slug", %{blog: blog} do
+      post = blog.get_post!("draft-post")
+      assert post.id == "draft-post"
     end
   end
 
@@ -101,6 +140,14 @@ defmodule Blogex.BlogTest do
     test "returns nil for unknown id", %{blog: blog} do
       assert blog.get_post("nope") == nil
     end
+
+    test "returns a future-dated post", %{blog: blog} do
+      assert %{id: "future-post"} = blog.get_post("future-post")
+    end
+
+    test "returns a draft post", %{blog: blog} do
+      assert %{id: "draft-post"} = blog.get_post("draft-post")
+    end
   end
 
   describe "paginate/2" do

blogex/test/blogex/feed_test.exs

@@ -65,6 +65,11 @@ defmodule Blogex.FeedTest do
       refute xml =~ "draft-post"
     end
 
+    test "excludes future-dated published posts", %{blog: blog} do
+      xml = Feed.rss(blog, @base_url)
+      refute xml =~ "future-post"
+    end
+
     test "includes self-referencing atom:link", %{blog: blog} do
       xml = Feed.rss(blog, @base_url)
 
@@ -95,6 +100,11 @@ defmodule Blogex.FeedTest do
       entry_count = xml |> String.split("<entry>") |> length() |> Kernel.-(1)
       assert entry_count == 2
     end
+
+    test "excludes future-dated published posts", %{blog: blog} do
+      xml = Feed.atom(blog, @base_url)
+      refute xml =~ "future-post"
+    end
   end
 
   describe "XML escaping" do

blogex/test/blogex/post_visibility_test.exs

@@ -0,0 +1,45 @@
+defmodule Blogex.Post.VisibilityTest do
+  use ExUnit.Case
+
+  import Blogex.Test.PostBuilder
+
+  describe "visibility/1" do
+    test "returns :draft when post is not published" do
+      post = build(published: false, date: ~D[2026-01-01])
+      assert Blogex.Post.visibility(post) == :draft
+    end
+
+    test "returns :scheduled when post is published with future date" do
+      post = build(published: true, date: ~D[2099-01-01])
+      assert Blogex.Post.visibility(post) == :scheduled
+    end
+
+    test "returns :live when post is published with past date" do
+      post = build(published: true, date: ~D[2020-01-01])
+      assert Blogex.Post.visibility(post) == :live
+    end
+
+    test "returns :live when post is published with today's date" do
+      post = build(published: true, date: Date.utc_today())
+      assert Blogex.Post.visibility(post) == :live
+    end
+  end
+
+  describe "days_until_live/1" do
+    test "returns positive integer for scheduled post" do
+      future = Date.add(Date.utc_today(), 10)
+      post = build(published: true, date: future)
+      assert Blogex.Post.days_until_live(post) == 10
+    end
+
+    test "returns nil for draft post" do
+      post = build(published: false, date: ~D[2099-01-01])
+      assert Blogex.Post.days_until_live(post) == nil
+    end
+
+    test "returns nil for live post" do
+      post = build(published: true, date: ~D[2020-01-01])
+      assert Blogex.Post.days_until_live(post) == nil
+    end
+  end
+end

blogex/test/blogex/registry_test.exs

@@ -8,12 +8,24 @@ defmodule Blogex.RegistryTest do
     def blog_id, do: :alpha
     def all_posts, do: [Blogex.Test.PostBuilder.build(id: "a1", date: ~D[2026-03-01], blog: :alpha)]
     def all_tags, do: ["elixir"]
+
+    def unfiltered_posts,
+      do: [
+        Blogex.Test.PostBuilder.build(id: "a1", date: ~D[2026-03-01], blog: :alpha),
+        Blogex.Test.PostBuilder.build(id: "a-draft", date: ~D[2026-03-05], blog: :alpha, published: false)
+      ]
   end
 
   defmodule BetaBlog do
     def blog_id, do: :beta
     def all_posts, do: [Blogex.Test.PostBuilder.build(id: "b1", date: ~D[2026-03-15], blog: :beta)]
     def all_tags, do: ["devops"]
+
+    def unfiltered_posts,
+      do: [
+        Blogex.Test.PostBuilder.build(id: "b1", date: ~D[2026-03-15], blog: :beta),
+        Blogex.Test.PostBuilder.build(id: "b-future", date: ~D[2099-01-01], blog: :beta)
+      ]
   end
 
   setup do
@@ -77,6 +89,21 @@ defmodule Blogex.RegistryTest do
     end
   end
 
+  describe "all_posts_unfiltered/0" do
+    test "returns all posts including drafts and future-dated" do
+      ids = Registry.all_posts_unfiltered() |> Enum.map(& &1.id)
+      assert "a1" in ids
+      assert "a-draft" in ids
+      assert "b1" in ids
+      assert "b-future" in ids
+    end
+
+    test "sorts by date descending" do
+      dates = Registry.all_posts_unfiltered() |> Enum.map(& &1.date)
+      assert dates == Enum.sort(dates, {:desc, Date})
+    end
+  end
+
   describe "blogs_map/0" do
     test "returns map keyed by blog_id" do
       map = Registry.blogs_map()

blogex/test/blogex/router_test.exs

@@ -9,7 +9,8 @@ defmodule Blogex.RouterTest do
     posts = [
       build(id: "first-post", title: "First", tags: ["elixir"], date: ~D[2026-03-10]),
       build(id: "second-post", title: "Second", tags: ["otp"], date: ~D[2026-02-01]),
-      build(id: "draft", published: false, date: ~D[2026-03-12])
+      build(id: "draft", published: false, date: ~D[2026-03-12]),
+      build(id: "future-post", title: "Future", tags: ["elixir"], date: ~D[2099-01-01], published: true)
     ]
 
     {:ok, _} = FakeBlog.start(posts,
@@ -42,6 +43,12 @@ defmodule Blogex.RouterTest do
       assert conn.resp_body =~ "first-post"
       refute conn.resp_body =~ "draft"
     end
+
+    test "excludes future-dated posts from feed" do
+      conn = call(:get, "/feed.xml")
+
+      refute conn.resp_body =~ "future-post"
+    end
   end
 
   describe "GET /atom.xml" do
@@ -70,10 +77,18 @@ defmodule Blogex.RouterTest do
       assert conn.status == 404
     end
 
-    test "returns 404 for draft post" do
+    test "returns 200 for draft post accessed by slug" do
       conn = call(:get, "/draft")
 
-      assert conn.status == 404
+      assert conn.status == 200
+    end
+
+    test "returns 200 for future-dated post accessed by slug" do
+      conn = call(:get, "/future-post")
+
+      assert conn.status == 200
+      body = Jason.decode!(conn.resp_body)
+      assert body["id"] == "future-post"
     end
   end
 
@@ -88,6 +103,14 @@ defmodule Blogex.RouterTest do
       assert hd(body["posts"])["id"] == "first-post"
     end
 
+    test "excludes future-dated posts from tag results" do
+      conn = call(:get, "/tag/elixir")
+
+      body = Jason.decode!(conn.resp_body)
+      ids = Enum.map(body["posts"], & &1["id"])
+      refute "future-post" in ids
+    end
+
     test "returns empty list for unknown tag" do
       conn = call(:get, "/tag/unknown")
 
@@ -113,6 +136,14 @@ defmodule Blogex.RouterTest do
       ids = Enum.map(body["posts"], & &1["id"])
       refute "draft" in ids
     end
+
+    test "excludes future-dated posts from listing" do
+      conn = call(:get, "/")
+
+      body = Jason.decode!(conn.resp_body)
+      ids = Enum.map(body["posts"], & &1["id"])
+      refute "future-post" in ids
+    end
   end
 
   defp get_content_type(conn) do

blogex/test/support/fake_blog.ex

@@ -51,9 +51,16 @@ defmodule Blogex.Test.FakeBlog do
   def description, do: get(:description)
   def base_path, do: get(:base_path)
 
-  def all_posts do
+  def unfiltered_posts do
     get(:posts)
-    |> Enum.filter(& &1.published)
+    |> Enum.sort_by(& &1.date, {:desc, Date})
+  end
+
+  def all_posts do
+    today = Date.utc_today()
+
+    get(:posts)
+    |> Enum.filter(&(&1.published and not Date.after?(&1.date, today)))
     |> Enum.sort_by(& &1.date, {:desc, Date})
   end
 
@@ -71,12 +78,12 @@ defmodule Blogex.Test.FakeBlog do
   end
 
   def get_post!(id) do
-    Enum.find(all_posts(), &(&1.id == id)) ||
+    Enum.find(unfiltered_posts(), &(&1.id == id)) ||
       raise Blogex.NotFoundError, "post #{inspect(id)} not found"
   end
 
   def get_post(id) do
-    Enum.find(all_posts(), &(&1.id == id))
+    Enum.find(unfiltered_posts(), &(&1.id == id))
   end
 
   def paginate(page \\ 1, per_page \\ 10) do

blogex/test/support/setup.ex

@@ -44,6 +44,12 @@ defmodule Blogex.Test.Setup do
         date: ~D[2026-03-12],
         tags: ["elixir"],
         published: false
+      ),
+      build(
+        id: "future-post",
+        date: ~D[2099-01-01],
+        tags: ["future-only"],
+        published: true
       )
     ]
   end