Updating email doesn't remove the confirmed_at value.

[thorebear]

If a user change his email, the confirmed_at field is not deleted meaning that the user is confirmed, but is now having a email that is not confirmed.

[josevalim]

In the generated code, you can only change the e-mail after you confirm it via the "confirm_email" route. So in the generated views, it should definitely work: https://github.com/aaronrenner/phx_gen_auth/blob/master/priv/templates/phx.gen.auth/routes.ex#L23

Are you changing the e-mail manually perhaps? Can you tell a bit more?

[thorebear]

I am referring to the following scenario:

1. A user is created with email 'MAIL1'
2. The user confirms the email 'MAIL1'
3. Using the generated user_settings_controller / view the user update his email to 'MAIL2'

Now without confirming 'MAIL2' the users confirmed_at field still have the timestamp of the confirmation of 'MAIL1' - effectively indicating that 'MAIL2' is confirmed.

In a setup like this I would expect one of two things: The email is not changed to 'MAIL2' in the database before 'MAIL2' is confirmed. or The confirmed_at field is set to nil, making the user unconfirmed until he confirms 'MAIL2'.

[josevalim]

Using the generated user_settings_controller / view the user update his email to 'MAIL2'

this does not actually change his e-mail to MAIL2 UNLESS the user clicks the link on his e-mail.

[thorebear]

You are right. I was probably confused by the function name apply_user_email