diff --git a/AGENTS.md b/AGENTS.md
deleted file mode 100644
index 7952511..0000000
--- a/AGENTS.md
+++ /dev/null
@@ -1,301 +0,0 @@
-This is a web application written using the Phoenix web framework.
-
-## Project guidelines
-
-- Use `mix precommit` alias when you are done with all changes and fix any pending issues
-- Use the already included and available `:req` (`Req`) library for HTTP requests, **avoid** `:httpoison`, `:tesla`, and `:httpc`. Req is included by default and is the preferred HTTP client for Phoenix apps
-### Phoenix v1.8 guidelines
-
-- **Always** begin your LiveView templates with `<Layouts.app flash={@flash} ...>` which wraps all inner content
-- The `MyAppWeb.Layouts` module is aliased in the `my_app_web.ex` file, so you can use it without needing to alias it again
-- Anytime you run into errors with no `current_scope` assign:
-  - You failed to follow the Authenticated Routes guidelines, or you failed to pass `current_scope` to `<Layouts.app>`
-  - **Always** fix the `current_scope` error by moving your routes to the proper `live_session` and ensure you pass `current_scope` as needed
-- Phoenix v1.8 moved the `<.flash_group>` component to the `Layouts` module. You are **forbidden** from calling `<.flash_group>` outside of the `layouts.ex` module
-- Out of the box, `core_components.ex` imports an `<.icon name="hero-x-mark" class="w-5 h-5"/>` component for for hero icons. **Always** use the `<.icon>` component for icons, **never** use `Heroicons` modules or similar
-- **Always** use the imported `<.input>` component for form inputs from `core_components.ex` when available. `<.input>` is imported and using it will will save steps and prevent errors
-- If you override the default input classes (`<.input class="myclass px-2 py-1 rounded-lg">)`) class with your own values, no default classes are inherited, so your
-custom classes must fully style the input
-
-<!-- usage-rules-start -->
-<!-- phoenix:elixir-start -->
-## Elixir guidelines
-
-- Elixir lists **do not support index based access via the access syntax**
-
-  **Never do this (invalid)**:
-
-      i = 0
-      mylist = ["blue", "green"]
-      mylist[i]
-
-  Instead, **always** use `Enum.at`, pattern matching, or `List` for index based list access, ie:
-
-      i = 0
-      mylist = ["blue", "green"]
-      Enum.at(mylist, i)
-
-- Elixir variables are immutable, but can be rebound, so for block expressions like `if`, `case`, `cond`, etc
-  you *must* bind the result of the expression to a variable if you want to use it and you CANNOT rebind the result inside the expression, ie:
-
-      # INVALID: we are rebinding inside the `if` and the result never gets assigned
-      if connected?(socket) do
-        socket = assign(socket, :val, val)
-      end
-
-      # VALID: we rebind the result of the `if` to a new variable
-      socket =
-        if connected?(socket) do
-          assign(socket, :val, val)
-        end
-
-- **Never** nest multiple modules in the same file as it can cause cyclic dependencies and compilation errors
-- **Never** use map access syntax (`changeset[:field]`) on structs as they do not implement the Access behaviour by default. For regular structs, you **must** access the fields directly, such as `my_struct.field` or use higher level APIs that are available on the struct if they exist, `Ecto.Changeset.get_field/2` for changesets
-- Elixir's standard library has everything necessary for date and time manipulation. Familiarize yourself with the common `Time`, `Date`, `DateTime`, and `Calendar` interfaces by accessing their documentation as necessary. **Never** install additional dependencies unless asked or for date/time parsing (which you can use the `date_time_parser` package)
-- Don't use `String.to_atom/1` on user input (memory leak risk)
-- Predicate function names should not start with `is_` and should end in a question mark. Names like `is_thing` should be reserved for guards
-- Elixir's builtin OTP primitives like `DynamicSupervisor` and `Registry`, require names in the child spec, such as `{DynamicSupervisor, name: MyApp.MyDynamicSup}`, then you can use `DynamicSupervisor.start_child(MyApp.MyDynamicSup, child_spec)`
-- Use `Task.async_stream(collection, callback, options)` for concurrent enumeration with back-pressure. The majority of times you will want to pass `timeout: :infinity` as option
-
-## Mix guidelines
-
-- Read the docs and options before using tasks (by using `mix help task_name`)
-- To debug test failures, run tests in a specific file with `mix test test/my_test.exs` or run all previously failed tests with `mix test --failed`
-- `mix deps.clean --all` is **almost never needed**. **Avoid** using it unless you have good reason
-<!-- phoenix:elixir-end -->
-<!-- phoenix:phoenix-start -->
-## Phoenix guidelines
-
-- Remember Phoenix router `scope` blocks include an optional alias which is prefixed for all routes within the scope. **Always** be mindful of this when creating routes within a scope to avoid duplicate module prefixes.
-
-- You **never** need to create your own `alias` for route definitions! The `scope` provides the alias, ie:
-
-      scope "/admin", AppWeb.Admin do
-        pipe_through :browser
-
-        live "/users", UserLive, :index
-      end
-
-  the UserLive route would point to the `AppWeb.Admin.UserLive` module
-
-- `Phoenix.View` no longer is needed or included with Phoenix, don't use it
-<!-- phoenix:phoenix-end -->
-<!-- phoenix:ecto-start -->
-## Ecto Guidelines
-
-- **Always** preload Ecto associations in queries when they'll be accessed in templates, ie a message that needs to reference the `message.user.email`
-- Remember `import Ecto.Query` and other supporting modules when you write `seeds.exs`
-- `Ecto.Schema` fields always use the `:string` type, even for `:text`, columns, ie: `field :name, :string`
-- `Ecto.Changeset.validate_number/2` **DOES NOT SUPPORT the `:allow_nil` option**. By default, Ecto validations only run if a change for the given field exists and the change value is not nil, so such as option is never needed
-- You **must** use `Ecto.Changeset.get_field(changeset, :field)` to access changeset fields
-- Fields which are set programatically, such as `user_id`, must not be listed in `cast` calls or similar for security purposes. Instead they must be explicitly set when creating the struct
-<!-- phoenix:ecto-end -->
-<!-- phoenix:html-start -->
-## Phoenix HTML guidelines
-
-- Phoenix templates **always** use `~H` or .html.heex files (known as HEEx), **never** use `~E`
-- **Always** use the imported `Phoenix.Component.form/1` and `Phoenix.Component.inputs_for/1` function to build forms. **Never** use `Phoenix.HTML.form_for` or `Phoenix.HTML.inputs_for` as they are outdated
-- When building forms **always** use the already imported `Phoenix.Component.to_form/2` (`assign(socket, form: to_form(...))` and `<.form for={@form} id="msg-form">`), then access those forms in the template via `@form[:field]`
-- **Always** add unique DOM IDs to key elements (like forms, buttons, etc) when writing templates, these IDs can later be used in tests (`<.form for={@form} id="product-form">`)
-- For "app wide" template imports, you can import/alias into the `my_app_web.ex`'s `html_helpers` block, so they will be available to all LiveViews, LiveComponent's, and all modules that do `use MyAppWeb, :html` (replace "my_app" by the actual app name)
-
-- Elixir supports `if/else` but **does NOT support `if/else if` or `if/elsif`. **Never use `else if` or `elseif` in Elixir**, **always** use `cond` or `case` for multiple conditionals.
-
-  **Never do this (invalid)**:
-
-      <%= if condition do %>
-        ...
-      <% else if other_condition %>
-        ...
-      <% end %>
-
-  Instead **always** do this:
-
-      <%= cond do %>
-        <% condition -> %>
-          ...
-        <% condition2 -> %>
-          ...
-        <% true -> %>
-          ...
-      <% end %>
-
-- HEEx require special tag annotation if you want to insert literal curly's like `{` or `}`. If you want to show a textual code snippet on the page in a `<pre>` or `<code>` block you *must* annotate the parent tag with `phx-no-curly-interpolation`:
-
-      <code phx-no-curly-interpolation>
-        let obj = {key: "val"}
-      </code>
-
-  Within `phx-no-curly-interpolation` annotated tags, you can use `{` and `}` without escaping them, and dynamic Elixir expressions can still be used with `<%= ... %>` syntax
-
-- HEEx class attrs support lists, but you must **always** use list `[...]` syntax. You can use the class list syntax to conditionally add classes, **always do this for multiple class values**:
-
-      <a class={[
-        "px-2 text-white",
-        @some_flag && "py-5",
-        if(@other_condition, do: "border-red-500", else: "border-blue-100"),
-        ...
-      ]}>Text</a>
-
-  and **always** wrap `if`'s inside `{...}` expressions with parens, like done above (`if(@other_condition, do: "...", else: "...")`)
-
-  and **never** do this, since it's invalid (note the missing `[` and `]`):
-
-      <a class={
-        "px-2 text-white",
-        @some_flag && "py-5"
-      }> ...
-      => Raises compile syntax error on invalid HEEx attr syntax
-
-- **Never** use `<% Enum.each %>` or non-for comprehensions for generating template content, instead **always** use `<%= for item <- @collection do %>`
-- HEEx HTML comments use `<%!-- comment --%>`. **Always** use the HEEx HTML comment syntax for template comments (`<%!-- comment --%>`)
-- HEEx allows interpolation via `{...}` and `<%= ... %>`, but the `<%= %>` **only** works within tag bodies. **Always** use the `{...}` syntax for interpolation within tag attributes, and for interpolation of values within tag bodies. **Always** interpolate block constructs (if, cond, case, for) within tag bodies using `<%= ... %>`.
-
-  **Always** do this:
-
-      <div id={@id}>
-        {@my_assign}
-        <%= if @some_block_condition do %>
-          {@another_assign}
-        <% end %>
-      </div>
-
-  and **Never** do this – the program will terminate with a syntax error:
-
-      <%!-- THIS IS INVALID NEVER EVER DO THIS --%>
-      <div id="<%= @invalid_interpolation %>">
-        {if @invalid_block_construct do}
-        {end}
-      </div>
-<!-- phoenix:html-end -->
-<!-- phoenix:liveview-start -->
-## Phoenix LiveView guidelines
-
-- **Never** use the deprecated `live_redirect` and `live_patch` functions, instead **always** use the `<.link navigate={href}>` and  `<.link patch={href}>` in templates, and `push_navigate` and `push_patch` functions LiveViews
-- **Avoid LiveComponent's** unless you have a strong, specific need for them
-- LiveViews should be named like `AppWeb.WeatherLive`, with a `Live` suffix. When you go to add LiveView routes to the router, the default `:browser` scope is **already aliased** with the `AppWeb` module, so you can just do `live "/weather", WeatherLive`
-- Remember anytime you use `phx-hook="MyHook"` and that js hook manages its own DOM, you **must** also set the `phx-update="ignore"` attribute
-- **Never** write embedded `<script>` tags in HEEx. Instead always write your scripts and hooks in the `assets/js` directory and integrate them with the `assets/js/app.js` file
-
-### LiveView streams
-
-- **Always** use LiveView streams for collections for assigning regular lists to avoid memory ballooning and runtime termination with the following operations:
-  - basic append of N items - `stream(socket, :messages, [new_msg])`
-  - resetting stream with new items - `stream(socket, :messages, [new_msg], reset: true)` (e.g. for filtering items)
-  - prepend to stream - `stream(socket, :messages, [new_msg], at: -1)`
-  - deleting items - `stream_delete(socket, :messages, msg)`
-
-- When using the `stream/3` interfaces in the LiveView, the LiveView template must 1) always set `phx-update="stream"` on the parent element, with a DOM id on the parent element like `id="messages"` and 2) consume the `@streams.stream_name` collection and use the id as the DOM id for each child. For a call like `stream(socket, :messages, [new_msg])` in the LiveView, the template would be:
-
-      <div id="messages" phx-update="stream">
-        <div :for={{id, msg} <- @streams.messages} id={id}>
-          {msg.text}
-        </div>
-      </div>
-
-- LiveView streams are *not* enumerable, so you cannot use `Enum.filter/2` or `Enum.reject/2` on them. Instead, if you want to filter, prune, or refresh a list of items on the UI, you **must refetch the data and re-stream the entire stream collection, passing reset: true**:
-
-      def handle_event("filter", %{"filter" => filter}, socket) do
-        # re-fetch the messages based on the filter
-        messages = list_messages(filter)
-
-        {:noreply,
-        socket
-        |> assign(:messages_empty?, messages == [])
-        # reset the stream with the new messages
-        |> stream(:messages, messages, reset: true)}
-      end
-
-- LiveView streams *do not support counting or empty states*. If you need to display a count, you must track it using a separate assign. For empty states, you can use Tailwind classes:
-
-      <div id="tasks" phx-update="stream">
-        <div class="hidden only:block">No tasks yet</div>
-        <div :for={{id, task} <- @stream.tasks} id={id}>
-          {task.name}
-        </div>
-      </div>
-
-  The above only works if the empty state is the only HTML block alongside the stream for-comprehension.
-
-- **Never** use the deprecated `phx-update="append"` or `phx-update="prepend"` for collections
-
-### LiveView tests
-
-- `Phoenix.LiveViewTest` module and `LazyHTML` (included) for making your assertions
-- Form tests are driven by `Phoenix.LiveViewTest`'s `render_submit/2` and `render_change/2` functions
-- Come up with a step-by-step test plan that splits major test cases into small, isolated files. You may start with simpler tests that verify content exists, gradually add interaction tests
-- **Always reference the key element IDs you added in the LiveView templates in your tests** for `Phoenix.LiveViewTest` functions like `element/2`, `has_element/2`, selectors, etc
-- **Never** tests again raw HTML, **always** use `element/2`, `has_element/2`, and similar: `assert has_element?(view, "#my-form")`
-- Instead of relying on testing text content, which can change, favor testing for the presence of key elements
-- Focus on testing outcomes rather than implementation details
-- Be aware that `Phoenix.Component` functions like `<.form>` might produce different HTML than expected. Test against the output HTML structure, not your mental model of what you expect it to be
-- When facing test failures with element selectors, add debug statements to print the actual HTML, but use `LazyHTML` selectors to limit the output, ie:
-
-      html = render(view)
-      document = LazyHTML.from_fragment(html)
-      matches = LazyHTML.filter(document, "your-complex-selector")
-      IO.inspect(matches, label: "Matches")
-
-### Form handling
-
-#### Creating a form from params
-
-If you want to create a form based on `handle_event` params:
-
-    def handle_event("submitted", params, socket) do
-      {:noreply, assign(socket, form: to_form(params))}
-    end
-
-When you pass a map to `to_form/1`, it assumes said map contains the form params, which are expected to have string keys.
-
-You can also specify a name to nest the params:
-
-    def handle_event("submitted", %{"user" => user_params}, socket) do
-      {:noreply, assign(socket, form: to_form(user_params, as: :user))}
-    end
-
-#### Creating a form from changesets
-
-When using changesets, the underlying data, form params, and errors are retrieved from it. The `:as` option is automatically computed too. E.g. if you have a user schema:
-
-    defmodule MyApp.Users.User do
-      use Ecto.Schema
-      ...
-    end
-
-And then you create a changeset that you pass to `to_form`:
-
-    %MyApp.Users.User{}
-    |> Ecto.Changeset.change()
-    |> to_form()
-
-Once the form is submitted, the params will be available under `%{"user" => user_params}`.
-
-In the template, the form form assign can be passed to the `<.form>` function component:
-
-    <.form for={@form} id="todo-form" phx-change="validate" phx-submit="save">
-      <.input field={@form[:field]} type="text" />
-    </.form>
-
-Always give the form an explicit, unique DOM ID, like `id="todo-form"`.
-
-#### Avoiding form errors
-
-**Always** use a form assigned via `to_form/2` in the LiveView, and the `<.input>` component in the template. In the template **always access forms this**:
-
-    <%!-- ALWAYS do this (valid) --%>
-    <.form for={@form} id="my-form">
-      <.input field={@form[:field]} type="text" />
-    </.form>
-
-And **never** do this:
-
-    <%!-- NEVER do this (invalid) --%>
-    <.form for={@changeset} id="my-form">
-      <.input field={@changeset[:field]} type="text" />
-    </.form>
-
-- You are FORBIDDEN from accessing the changeset in the template as it will cause errors
-- **Never** use `<.form let={f} ...>` in the template, instead **always use `<.form for={@form} ...>`**, then drive all form references from the form assign as in `@form[:field]`. The UI should **always** be driven by a `to_form/2` assigned in the LiveView module that is derived from a changeset
-<!-- phoenix:liveview-end -->
-<!-- usage-rules-end -->
\ No newline at end of file
diff --git a/config/config.exs b/config/config.exs
index bd8c6ec..a2252b2 100644
--- a/config/config.exs
+++ b/config/config.exs
@@ -7,6 +7,19 @@
 # General application configuration
 import Config
 
+config :beet_round_server, :scopes,
+  user: [
+    default: true,
+    module: BeetRoundServer.Accounts.Scope,
+    assign_key: :current_scope,
+    access_path: [:user, :id],
+    schema_key: :user_id,
+    schema_type: :binary_id,
+    schema_table: :users,
+    test_data_fixture: BeetRoundServer.AccountsFixtures,
+    test_setup_helper: :register_and_log_in_user
+  ]
+
 config :beet_round_server,
   ecto_repos: [BeetRoundServer.Repo],
   generators: [timestamp_type: :utc_datetime, binary_id: true]
diff --git a/config/test.exs b/config/test.exs
index 527ae3c..52981bb 100644
--- a/config/test.exs
+++ b/config/test.exs
@@ -1,5 +1,8 @@
 import Config
 
+# Only in tests, remove the complexity from the password hashing algorithm
+config :bcrypt_elixir, :log_rounds, 1
+
 # Configure your database
 #
 # The MIX_TEST_PARTITION environment variable can be used
diff --git a/lib/beet_round_server/accounts.ex b/lib/beet_round_server/accounts.ex
new file mode 100644
index 0000000..2b5b80d
--- /dev/null
+++ b/lib/beet_round_server/accounts.ex
@@ -0,0 +1,297 @@
+defmodule BeetRoundServer.Accounts do
+  @moduledoc """
+  The Accounts context.
+  """
+
+  import Ecto.Query, warn: false
+  alias BeetRoundServer.Repo
+
+  alias BeetRoundServer.Accounts.{User, UserToken, UserNotifier}
+
+  ## Database getters
+
+  @doc """
+  Gets a user by email.
+
+  ## Examples
+
+      iex> get_user_by_email("foo@example.com")
+      %User{}
+
+      iex> get_user_by_email("unknown@example.com")
+      nil
+
+  """
+  def get_user_by_email(email) when is_binary(email) do
+    Repo.get_by(User, email: email)
+  end
+
+  @doc """
+  Gets a user by email and password.
+
+  ## Examples
+
+      iex> get_user_by_email_and_password("foo@example.com", "correct_password")
+      %User{}
+
+      iex> get_user_by_email_and_password("foo@example.com", "invalid_password")
+      nil
+
+  """
+  def get_user_by_email_and_password(email, password)
+      when is_binary(email) and is_binary(password) do
+    user = Repo.get_by(User, email: email)
+    if User.valid_password?(user, password), do: user
+  end
+
+  @doc """
+  Gets a single user.
+
+  Raises `Ecto.NoResultsError` if the User does not exist.
+
+  ## Examples
+
+      iex> get_user!(123)
+      %User{}
+
+      iex> get_user!(456)
+      ** (Ecto.NoResultsError)
+
+  """
+  def get_user!(id), do: Repo.get!(User, id)
+
+  ## User registration
+
+  @doc """
+  Registers a user.
+
+  ## Examples
+
+      iex> register_user(%{field: value})
+      {:ok, %User{}}
+
+      iex> register_user(%{field: bad_value})
+      {:error, %Ecto.Changeset{}}
+
+  """
+  def register_user(attrs) do
+    %User{}
+    |> User.email_changeset(attrs)
+    |> Repo.insert()
+  end
+
+  ## Settings
+
+  @doc """
+  Checks whether the user is in sudo mode.
+
+  The user is in sudo mode when the last authentication was done no further
+  than 20 minutes ago. The limit can be given as second argument in minutes.
+  """
+  def sudo_mode?(user, minutes \\ -20)
+
+  def sudo_mode?(%User{authenticated_at: ts}, minutes) when is_struct(ts, DateTime) do
+    DateTime.after?(ts, DateTime.utc_now() |> DateTime.add(minutes, :minute))
+  end
+
+  def sudo_mode?(_user, _minutes), do: false
+
+  @doc """
+  Returns an `%Ecto.Changeset{}` for changing the user email.
+
+  See `BeetRoundServer.Accounts.User.email_changeset/3` for a list of supported options.
+
+  ## Examples
+
+      iex> change_user_email(user)
+      %Ecto.Changeset{data: %User{}}
+
+  """
+  def change_user_email(user, attrs \\ %{}, opts \\ []) do
+    User.email_changeset(user, attrs, opts)
+  end
+
+  @doc """
+  Updates the user email using the given token.
+
+  If the token matches, the user email is updated and the token is deleted.
+  """
+  def update_user_email(user, token) do
+    context = "change:#{user.email}"
+
+    Repo.transact(fn ->
+      with {:ok, query} <- UserToken.verify_change_email_token_query(token, context),
+           %UserToken{sent_to: email} <- Repo.one(query),
+           {:ok, user} <- Repo.update(User.email_changeset(user, %{email: email})),
+           {_count, _result} <-
+             Repo.delete_all(from(UserToken, where: [user_id: ^user.id, context: ^context])) do
+        {:ok, user}
+      else
+        _ -> {:error, :transaction_aborted}
+      end
+    end)
+  end
+
+  @doc """
+  Returns an `%Ecto.Changeset{}` for changing the user password.
+
+  See `BeetRoundServer.Accounts.User.password_changeset/3` for a list of supported options.
+
+  ## Examples
+
+      iex> change_user_password(user)
+      %Ecto.Changeset{data: %User{}}
+
+  """
+  def change_user_password(user, attrs \\ %{}, opts \\ []) do
+    User.password_changeset(user, attrs, opts)
+  end
+
+  @doc """
+  Updates the user password.
+
+  Returns a tuple with the updated user, as well as a list of expired tokens.
+
+  ## Examples
+
+      iex> update_user_password(user, %{password: ...})
+      {:ok, {%User{}, [...]}}
+
+      iex> update_user_password(user, %{password: "too short"})
+      {:error, %Ecto.Changeset{}}
+
+  """
+  def update_user_password(user, attrs) do
+    user
+    |> User.password_changeset(attrs)
+    |> update_user_and_delete_all_tokens()
+  end
+
+  ## Session
+
+  @doc """
+  Generates a session token.
+  """
+  def generate_user_session_token(user) do
+    {token, user_token} = UserToken.build_session_token(user)
+    Repo.insert!(user_token)
+    token
+  end
+
+  @doc """
+  Gets the user with the given signed token.
+
+  If the token is valid `{user, token_inserted_at}` is returned, otherwise `nil` is returned.
+  """
+  def get_user_by_session_token(token) do
+    {:ok, query} = UserToken.verify_session_token_query(token)
+    Repo.one(query)
+  end
+
+  @doc """
+  Gets the user with the given magic link token.
+  """
+  def get_user_by_magic_link_token(token) do
+    with {:ok, query} <- UserToken.verify_magic_link_token_query(token),
+         {user, _token} <- Repo.one(query) do
+      user
+    else
+      _ -> nil
+    end
+  end
+
+  @doc """
+  Logs the user in by magic link.
+
+  There are three cases to consider:
+
+  1. The user has already confirmed their email. They are logged in
+     and the magic link is expired.
+
+  2. The user has not confirmed their email and no password is set.
+     In this case, the user gets confirmed, logged in, and all tokens -
+     including session ones - are expired. In theory, no other tokens
+     exist but we delete all of them for best security practices.
+
+  3. The user has not confirmed their email but a password is set.
+     This cannot happen in the default implementation but may be the
+     source of security pitfalls. See the "Mixing magic link and password registration" section of
+     `mix help phx.gen.auth`.
+  """
+  def login_user_by_magic_link(token) do
+    {:ok, query} = UserToken.verify_magic_link_token_query(token)
+
+    case Repo.one(query) do
+      # Prevent session fixation attacks by disallowing magic links for unconfirmed users with password
+      {%User{confirmed_at: nil, hashed_password: hash}, _token} when not is_nil(hash) ->
+        raise """
+        magic link log in is not allowed for unconfirmed users with a password set!
+
+        This cannot happen with the default implementation, which indicates that you
+        might have adapted the code to a different use case. Please make sure to read the
+        "Mixing magic link and password registration" section of `mix help phx.gen.auth`.
+        """
+
+      {%User{confirmed_at: nil} = user, _token} ->
+        user
+        |> User.confirm_changeset()
+        |> update_user_and_delete_all_tokens()
+
+      {user, token} ->
+        Repo.delete!(token)
+        {:ok, {user, []}}
+
+      nil ->
+        {:error, :not_found}
+    end
+  end
+
+  @doc ~S"""
+  Delivers the update email instructions to the given user.
+
+  ## Examples
+
+      iex> deliver_user_update_email_instructions(user, current_email, &url(~p"/users/settings/confirm-email/#{&1}"))
+      {:ok, %{to: ..., body: ...}}
+
+  """
+  def deliver_user_update_email_instructions(%User{} = user, current_email, update_email_url_fun)
+      when is_function(update_email_url_fun, 1) do
+    {encoded_token, user_token} = UserToken.build_email_token(user, "change:#{current_email}")
+
+    Repo.insert!(user_token)
+    UserNotifier.deliver_update_email_instructions(user, update_email_url_fun.(encoded_token))
+  end
+
+  @doc """
+  Delivers the magic link login instructions to the given user.
+  """
+  def deliver_login_instructions(%User{} = user, magic_link_url_fun)
+      when is_function(magic_link_url_fun, 1) do
+    {encoded_token, user_token} = UserToken.build_email_token(user, "login")
+    Repo.insert!(user_token)
+    UserNotifier.deliver_login_instructions(user, magic_link_url_fun.(encoded_token))
+  end
+
+  @doc """
+  Deletes the signed token with the given context.
+  """
+  def delete_user_session_token(token) do
+    Repo.delete_all(from(UserToken, where: [token: ^token, context: "session"]))
+    :ok
+  end
+
+  ## Token helper
+
+  defp update_user_and_delete_all_tokens(changeset) do
+    Repo.transact(fn ->
+      with {:ok, user} <- Repo.update(changeset) do
+        tokens_to_expire = Repo.all_by(UserToken, user_id: user.id)
+
+        Repo.delete_all(from(t in UserToken, where: t.id in ^Enum.map(tokens_to_expire, & &1.id)))
+
+        {:ok, {user, tokens_to_expire}}
+      end
+    end)
+  end
+end
diff --git a/lib/beet_round_server/accounts/scope.ex b/lib/beet_round_server/accounts/scope.ex
new file mode 100644
index 0000000..dbdf27b
--- /dev/null
+++ b/lib/beet_round_server/accounts/scope.ex
@@ -0,0 +1,33 @@
+defmodule BeetRoundServer.Accounts.Scope do
+  @moduledoc """
+  Defines the scope of the caller to be used throughout the app.
+
+  The `BeetRoundServer.Accounts.Scope` allows public interfaces to receive
+  information about the caller, such as if the call is initiated from an
+  end-user, and if so, which user. Additionally, such a scope can carry fields
+  such as "super user" or other privileges for use as authorization, or to
+  ensure specific code paths can only be access for a given scope.
+
+  It is useful for logging as well as for scoping pubsub subscriptions and
+  broadcasts when a caller subscribes to an interface or performs a particular
+  action.
+
+  Feel free to extend the fields on this struct to fit the needs of
+  growing application requirements.
+  """
+
+  alias BeetRoundServer.Accounts.User
+
+  defstruct user: nil
+
+  @doc """
+  Creates a scope for the given user.
+
+  Returns nil if no user is given.
+  """
+  def for_user(%User{} = user) do
+    %__MODULE__{user: user}
+  end
+
+  def for_user(nil), do: nil
+end
diff --git a/lib/beet_round_server/accounts/user.ex b/lib/beet_round_server/accounts/user.ex
new file mode 100644
index 0000000..4441f3d
--- /dev/null
+++ b/lib/beet_round_server/accounts/user.ex
@@ -0,0 +1,134 @@
+defmodule BeetRoundServer.Accounts.User do
+  use Ecto.Schema
+  import Ecto.Changeset
+
+  @primary_key {:id, :binary_id, autogenerate: true}
+  @foreign_key_type :binary_id
+  schema "users" do
+    field :email, :string
+    field :password, :string, virtual: true, redact: true
+    field :hashed_password, :string, redact: true
+    field :confirmed_at, :utc_datetime
+    field :authenticated_at, :utc_datetime, virtual: true
+
+    timestamps(type: :utc_datetime)
+  end
+
+  @doc """
+  A user changeset for registering or changing the email.
+
+  It requires the email to change otherwise an error is added.
+
+  ## Options
+
+    * `:validate_unique` - Set to false if you don't want to validate the
+      uniqueness of the email, useful when displaying live validations.
+      Defaults to `true`.
+  """
+  def email_changeset(user, attrs, opts \\ []) do
+    user
+    |> cast(attrs, [:email])
+    |> validate_email(opts)
+  end
+
+  defp validate_email(changeset, opts) do
+    changeset =
+      changeset
+      |> validate_required([:email])
+      |> validate_format(:email, ~r/^[^@,;\s]+@[^@,;\s]+$/,
+        message: "must have the @ sign and no spaces"
+      )
+      |> validate_length(:email, max: 160)
+
+    if Keyword.get(opts, :validate_unique, true) do
+      changeset
+      |> unsafe_validate_unique(:email, BeetRoundServer.Repo)
+      |> unique_constraint(:email)
+      |> validate_email_changed()
+    else
+      changeset
+    end
+  end
+
+  defp validate_email_changed(changeset) do
+    if get_field(changeset, :email) && get_change(changeset, :email) == nil do
+      add_error(changeset, :email, "did not change")
+    else
+      changeset
+    end
+  end
+
+  @doc """
+  A user changeset for changing the password.
+
+  It is important to validate the length of the password, as long passwords may
+  be very expensive to hash for certain algorithms.
+
+  ## Options
+
+    * `:hash_password` - Hashes the password so it can be stored securely
+      in the database and ensures the password field is cleared to prevent
+      leaks in the logs. If password hashing is not needed and clearing the
+      password field is not desired (like when using this changeset for
+      validations on a LiveView form), this option can be set to `false`.
+      Defaults to `true`.
+  """
+  def password_changeset(user, attrs, opts \\ []) do
+    user
+    |> cast(attrs, [:password])
+    |> validate_confirmation(:password, message: "does not match password")
+    |> validate_password(opts)
+  end
+
+  defp validate_password(changeset, opts) do
+    changeset
+    |> validate_required([:password])
+    |> validate_length(:password, min: 12, max: 72)
+    # Examples of additional password validation:
+    # |> validate_format(:password, ~r/[a-z]/, message: "at least one lower case character")
+    # |> validate_format(:password, ~r/[A-Z]/, message: "at least one upper case character")
+    # |> validate_format(:password, ~r/[!?@#$%^&*_0-9]/, message: "at least one digit or punctuation character")
+    |> maybe_hash_password(opts)
+  end
+
+  defp maybe_hash_password(changeset, opts) do
+    hash_password? = Keyword.get(opts, :hash_password, true)
+    password = get_change(changeset, :password)
+
+    if hash_password? && password && changeset.valid? do
+      changeset
+      # If using Bcrypt, then further validate it is at most 72 bytes long
+      |> validate_length(:password, max: 72, count: :bytes)
+      # Hashing could be done with `Ecto.Changeset.prepare_changes/2`, but that
+      # would keep the database transaction open longer and hurt performance.
+      |> put_change(:hashed_password, Bcrypt.hash_pwd_salt(password))
+      |> delete_change(:password)
+    else
+      changeset
+    end
+  end
+
+  @doc """
+  Confirms the account by setting `confirmed_at`.
+  """
+  def confirm_changeset(user) do
+    now = DateTime.utc_now(:second)
+    change(user, confirmed_at: now)
+  end
+
+  @doc """
+  Verifies the password.
+
+  If there is no user or the user doesn't have a password, we call
+  `Bcrypt.no_user_verify/0` to avoid timing attacks.
+  """
+  def valid_password?(%BeetRoundServer.Accounts.User{hashed_password: hashed_password}, password)
+      when is_binary(hashed_password) and byte_size(password) > 0 do
+    Bcrypt.verify_pass(password, hashed_password)
+  end
+
+  def valid_password?(_, _) do
+    Bcrypt.no_user_verify()
+    false
+  end
+end
diff --git a/lib/beet_round_server/accounts/user_notifier.ex b/lib/beet_round_server/accounts/user_notifier.ex
new file mode 100644
index 0000000..8c132a3
--- /dev/null
+++ b/lib/beet_round_server/accounts/user_notifier.ex
@@ -0,0 +1,84 @@
+defmodule BeetRoundServer.Accounts.UserNotifier do
+  import Swoosh.Email
+
+  alias BeetRoundServer.Mailer
+  alias BeetRoundServer.Accounts.User
+
+  # Delivers the email using the application mailer.
+  defp deliver(recipient, subject, body) do
+    email =
+      new()
+      |> to(recipient)
+      |> from({"BeetRoundServer", "contact@example.com"})
+      |> subject(subject)
+      |> text_body(body)
+
+    with {:ok, _metadata} <- Mailer.deliver(email) do
+      {:ok, email}
+    end
+  end
+
+  @doc """
+  Deliver instructions to update a user email.
+  """
+  def deliver_update_email_instructions(user, url) do
+    deliver(user.email, "Update email instructions", """
+
+    ==============================
+
+    Hi #{user.email},
+
+    You can change your email by visiting the URL below:
+
+    #{url}
+
+    If you didn't request this change, please ignore this.
+
+    ==============================
+    """)
+  end
+
+  @doc """
+  Deliver instructions to log in with a magic link.
+  """
+  def deliver_login_instructions(user, url) do
+    case user do
+      %User{confirmed_at: nil} -> deliver_confirmation_instructions(user, url)
+      _ -> deliver_magic_link_instructions(user, url)
+    end
+  end
+
+  defp deliver_magic_link_instructions(user, url) do
+    deliver(user.email, "Log in instructions", """
+
+    ==============================
+
+    Hi #{user.email},
+
+    You can log into your account by visiting the URL below:
+
+    #{url}
+
+    If you didn't request this email, please ignore this.
+
+    ==============================
+    """)
+  end
+
+  defp deliver_confirmation_instructions(user, url) do
+    deliver(user.email, "Confirmation instructions", """
+
+    ==============================
+
+    Hi #{user.email},
+
+    You can confirm your account by visiting the URL below:
+
+    #{url}
+
+    If you didn't create an account with us, please ignore this.
+
+    ==============================
+    """)
+  end
+end
diff --git a/lib/beet_round_server/accounts/user_token.ex b/lib/beet_round_server/accounts/user_token.ex
new file mode 100644
index 0000000..e468842
--- /dev/null
+++ b/lib/beet_round_server/accounts/user_token.ex
@@ -0,0 +1,158 @@
+defmodule BeetRoundServer.Accounts.UserToken do
+  use Ecto.Schema
+  import Ecto.Query
+  alias BeetRoundServer.Accounts.UserToken
+
+  @hash_algorithm :sha256
+  @rand_size 32
+
+  # It is very important to keep the magic link token expiry short,
+  # since someone with access to the email may take over the account.
+  @magic_link_validity_in_minutes 15
+  @change_email_validity_in_days 7
+  @session_validity_in_days 14
+
+  @primary_key {:id, :binary_id, autogenerate: true}
+  @foreign_key_type :binary_id
+  schema "users_tokens" do
+    field :token, :binary
+    field :context, :string
+    field :sent_to, :string
+    field :authenticated_at, :utc_datetime
+    belongs_to :user, BeetRoundServer.Accounts.User
+
+    timestamps(type: :utc_datetime, updated_at: false)
+  end
+
+  @doc """
+  Generates a token that will be stored in a signed place,
+  such as session or cookie. As they are signed, those
+  tokens do not need to be hashed.
+
+  The reason why we store session tokens in the database, even
+  though Phoenix already provides a session cookie, is because
+  Phoenix's default session cookies are not persisted, they are
+  simply signed and potentially encrypted. This means they are
+  valid indefinitely, unless you change the signing/encryption
+  salt.
+
+  Therefore, storing them allows individual user
+  sessions to be expired. The token system can also be extended
+  to store additional data, such as the device used for logging in.
+  You could then use this information to display all valid sessions
+  and devices in the UI and allow users to explicitly expire any
+  session they deem invalid.
+  """
+  def build_session_token(user) do
+    token = :crypto.strong_rand_bytes(@rand_size)
+    dt = user.authenticated_at || DateTime.utc_now(:second)
+    {token, %UserToken{token: token, context: "session", user_id: user.id, authenticated_at: dt}}
+  end
+
+  @doc """
+  Checks if the token is valid and returns its underlying lookup query.
+
+  The query returns the user found by the token, if any, along with the token's creation time.
+
+  The token is valid if it matches the value in the database and it has
+  not expired (after @session_validity_in_days).
+  """
+  def verify_session_token_query(token) do
+    query =
+      from token in by_token_and_context_query(token, "session"),
+        join: user in assoc(token, :user),
+        where: token.inserted_at > ago(@session_validity_in_days, "day"),
+        select: {%{user | authenticated_at: token.authenticated_at}, token.inserted_at}
+
+    {:ok, query}
+  end
+
+  @doc """
+  Builds a token and its hash to be delivered to the user's email.
+
+  The non-hashed token is sent to the user email while the
+  hashed part is stored in the database. The original token cannot be reconstructed,
+  which means anyone with read-only access to the database cannot directly use
+  the token in the application to gain access. Furthermore, if the user changes
+  their email in the system, the tokens sent to the previous email are no longer
+  valid.
+
+  Users can easily adapt the existing code to provide other types of delivery methods,
+  for example, by phone numbers.
+  """
+  def build_email_token(user, context) do
+    build_hashed_token(user, context, user.email)
+  end
+
+  defp build_hashed_token(user, context, sent_to) do
+    token = :crypto.strong_rand_bytes(@rand_size)
+    hashed_token = :crypto.hash(@hash_algorithm, token)
+
+    {Base.url_encode64(token, padding: false),
+     %UserToken{
+       token: hashed_token,
+       context: context,
+       sent_to: sent_to,
+       user_id: user.id
+     }}
+  end
+
+  @doc """
+  Checks if the token is valid and returns its underlying lookup query.
+
+  If found, the query returns a tuple of the form `{user, token}`.
+
+  The given token is valid if it matches its hashed counterpart in the
+  database. This function also checks if the token is being used within
+  15 minutes. The context of a magic link token is always "login".
+  """
+  def verify_magic_link_token_query(token) do
+    case Base.url_decode64(token, padding: false) do
+      {:ok, decoded_token} ->
+        hashed_token = :crypto.hash(@hash_algorithm, decoded_token)
+
+        query =
+          from token in by_token_and_context_query(hashed_token, "login"),
+            join: user in assoc(token, :user),
+            where: token.inserted_at > ago(^@magic_link_validity_in_minutes, "minute"),
+            where: token.sent_to == user.email,
+            select: {user, token}
+
+        {:ok, query}
+
+      :error ->
+        :error
+    end
+  end
+
+  @doc """
+  Checks if the token is valid and returns its underlying lookup query.
+
+  The query returns the user_token found by the token, if any.
+
+  This is used to validate requests to change the user
+  email.
+  The given token is valid if it matches its hashed counterpart in the
+  database and if it has not expired (after @change_email_validity_in_days).
+  The context must always start with "change:".
+  """
+  def verify_change_email_token_query(token, "change:" <> _ = context) do
+    case Base.url_decode64(token, padding: false) do
+      {:ok, decoded_token} ->
+        hashed_token = :crypto.hash(@hash_algorithm, decoded_token)
+
+        query =
+          from token in by_token_and_context_query(hashed_token, context),
+            where: token.inserted_at > ago(@change_email_validity_in_days, "day")
+
+        {:ok, query}
+
+      :error ->
+        :error
+    end
+  end
+
+  defp by_token_and_context_query(token, context) do
+    from UserToken, where: [token: ^token, context: ^context]
+  end
+end
diff --git a/lib/beet_round_server_web/components/layouts/root.html.heex b/lib/beet_round_server_web/components/layouts/root.html.heex
index 9feeb61..b487e7c 100644
--- a/lib/beet_round_server_web/components/layouts/root.html.heex
+++ b/lib/beet_round_server_web/components/layouts/root.html.heex
@@ -31,6 +31,26 @@
     </script>
   </head>
   <body>
+    <ul class="menu menu-horizontal w-full relative z-10 flex items-center gap-4 px-4 sm:px-6 lg:px-8 justify-end">
+      <%= if @current_scope do %>
+        <li>
+          {@current_scope.user.email}
+        </li>
+        <li>
+          <.link href={~p"/users/settings"}>Settings</.link>
+        </li>
+        <li>
+          <.link href={~p"/users/log-out"} method="delete">Log out</.link>
+        </li>
+      <% else %>
+        <li>
+          <.link href={~p"/users/register"}>Register</.link>
+        </li>
+        <li>
+          <.link href={~p"/users/log-in"}>Log in</.link>
+        </li>
+      <% end %>
+    </ul>
     {@inner_content}
   </body>
 </html>
diff --git a/lib/beet_round_server_web/controllers/user_session_controller.ex b/lib/beet_round_server_web/controllers/user_session_controller.ex
new file mode 100644
index 0000000..19ab0f1
--- /dev/null
+++ b/lib/beet_round_server_web/controllers/user_session_controller.ex
@@ -0,0 +1,67 @@
+defmodule BeetRoundServerWeb.UserSessionController do
+  use BeetRoundServerWeb, :controller
+
+  alias BeetRoundServer.Accounts
+  alias BeetRoundServerWeb.UserAuth
+
+  def create(conn, %{"_action" => "confirmed"} = params) do
+    create(conn, params, "User confirmed successfully.")
+  end
+
+  def create(conn, params) do
+    create(conn, params, "Welcome back!")
+  end
+
+  # magic link login
+  defp create(conn, %{"user" => %{"token" => token} = user_params}, info) do
+    case Accounts.login_user_by_magic_link(token) do
+      {:ok, {user, tokens_to_disconnect}} ->
+        UserAuth.disconnect_sessions(tokens_to_disconnect)
+
+        conn
+        |> put_flash(:info, info)
+        |> UserAuth.log_in_user(user, user_params)
+
+      _ ->
+        conn
+        |> put_flash(:error, "The link is invalid or it has expired.")
+        |> redirect(to: ~p"/users/log-in")
+    end
+  end
+
+  # email + password login
+  defp create(conn, %{"user" => user_params}, info) do
+    %{"email" => email, "password" => password} = user_params
+
+    if user = Accounts.get_user_by_email_and_password(email, password) do
+      conn
+      |> put_flash(:info, info)
+      |> UserAuth.log_in_user(user, user_params)
+    else
+      # In order to prevent user enumeration attacks, don't disclose whether the email is registered.
+      conn
+      |> put_flash(:error, "Invalid email or password")
+      |> put_flash(:email, String.slice(email, 0, 160))
+      |> redirect(to: ~p"/users/log-in")
+    end
+  end
+
+  def update_password(conn, %{"user" => user_params} = params) do
+    user = conn.assigns.current_scope.user
+    true = Accounts.sudo_mode?(user)
+    {:ok, {_user, expired_tokens}} = Accounts.update_user_password(user, user_params)
+
+    # disconnect all existing LiveViews with old sessions
+    UserAuth.disconnect_sessions(expired_tokens)
+
+    conn
+    |> put_session(:user_return_to, ~p"/users/settings")
+    |> create(params, "Password updated successfully!")
+  end
+
+  def delete(conn, _params) do
+    conn
+    |> put_flash(:info, "Logged out successfully.")
+    |> UserAuth.log_out_user()
+  end
+end
diff --git a/lib/beet_round_server_web/live/user_live/confirmation.ex b/lib/beet_round_server_web/live/user_live/confirmation.ex
new file mode 100644
index 0000000..8c48a88
--- /dev/null
+++ b/lib/beet_round_server_web/live/user_live/confirmation.ex
@@ -0,0 +1,94 @@
+defmodule BeetRoundServerWeb.UserLive.Confirmation do
+  use BeetRoundServerWeb, :live_view
+
+  alias BeetRoundServer.Accounts
+
+  @impl true
+  def render(assigns) do
+    ~H"""
+    <Layouts.app flash={@flash} current_scope={@current_scope}>
+      <div class="mx-auto max-w-sm">
+        <div class="text-center">
+          <.header>Welcome {@user.email}</.header>
+        </div>
+
+        <.form
+          :if={!@user.confirmed_at}
+          for={@form}
+          id="confirmation_form"
+          phx-mounted={JS.focus_first()}
+          phx-submit="submit"
+          action={~p"/users/log-in?_action=confirmed"}
+          phx-trigger-action={@trigger_submit}
+        >
+          <input type="hidden" name={@form[:token].name} value={@form[:token].value} />
+          <.button
+            name={@form[:remember_me].name}
+            value="true"
+            phx-disable-with="Confirming..."
+            class="btn btn-primary w-full"
+          >
+            Confirm and stay logged in
+          </.button>
+          <.button phx-disable-with="Confirming..." class="btn btn-primary btn-soft w-full mt-2">
+            Confirm and log in only this time
+          </.button>
+        </.form>
+
+        <.form
+          :if={@user.confirmed_at}
+          for={@form}
+          id="login_form"
+          phx-submit="submit"
+          phx-mounted={JS.focus_first()}
+          action={~p"/users/log-in"}
+          phx-trigger-action={@trigger_submit}
+        >
+          <input type="hidden" name={@form[:token].name} value={@form[:token].value} />
+          <%= if @current_scope do %>
+            <.button phx-disable-with="Logging in..." class="btn btn-primary w-full">
+              Log in
+            </.button>
+          <% else %>
+            <.button
+              name={@form[:remember_me].name}
+              value="true"
+              phx-disable-with="Logging in..."
+              class="btn btn-primary w-full"
+            >
+              Keep me logged in on this device
+            </.button>
+            <.button phx-disable-with="Logging in..." class="btn btn-primary btn-soft w-full mt-2">
+              Log me in only this time
+            </.button>
+          <% end %>
+        </.form>
+
+        <p :if={!@user.confirmed_at} class="alert alert-outline mt-8">
+          Tip: If you prefer passwords, you can enable them in the user settings.
+        </p>
+      </div>
+    </Layouts.app>
+    """
+  end
+
+  @impl true
+  def mount(%{"token" => token}, _session, socket) do
+    if user = Accounts.get_user_by_magic_link_token(token) do
+      form = to_form(%{"token" => token}, as: "user")
+
+      {:ok, assign(socket, user: user, form: form, trigger_submit: false),
+       temporary_assigns: [form: nil]}
+    else
+      {:ok,
+       socket
+       |> put_flash(:error, "Magic link is invalid or it has expired.")
+       |> push_navigate(to: ~p"/users/log-in")}
+    end
+  end
+
+  @impl true
+  def handle_event("submit", %{"user" => params}, socket) do
+    {:noreply, assign(socket, form: to_form(params, as: "user"), trigger_submit: true)}
+  end
+end
diff --git a/lib/beet_round_server_web/live/user_live/login.ex b/lib/beet_round_server_web/live/user_live/login.ex
new file mode 100644
index 0000000..ba19185
--- /dev/null
+++ b/lib/beet_round_server_web/live/user_live/login.ex
@@ -0,0 +1,131 @@
+defmodule BeetRoundServerWeb.UserLive.Login do
+  use BeetRoundServerWeb, :live_view
+
+  alias BeetRoundServer.Accounts
+
+  @impl true
+  def render(assigns) do
+    ~H"""
+    <Layouts.app flash={@flash} current_scope={@current_scope}>
+      <div class="mx-auto max-w-sm space-y-4">
+        <div class="text-center">
+          <.header>
+            <p>Log in</p>
+            <:subtitle>
+              <%= if @current_scope do %>
+                You need to reauthenticate to perform sensitive actions on your account.
+              <% else %>
+                Don't have an account? <.link
+                  navigate={~p"/users/register"}
+                  class="font-semibold text-brand hover:underline"
+                  phx-no-format
+                >Sign up</.link> for an account now.
+              <% end %>
+            </:subtitle>
+          </.header>
+        </div>
+
+        <div :if={local_mail_adapter?()} class="alert alert-info">
+          <.icon name="hero-information-circle" class="size-6 shrink-0" />
+          <div>
+            <p>You are running the local mail adapter.</p>
+            <p>
+              To see sent emails, visit <.link href="/dev/mailbox" class="underline">the mailbox page</.link>.
+            </p>
+          </div>
+        </div>
+
+        <.form
+          :let={f}
+          for={@form}
+          id="login_form_magic"
+          action={~p"/users/log-in"}
+          phx-submit="submit_magic"
+        >
+          <.input
+            readonly={!!@current_scope}
+            field={f[:email]}
+            type="email"
+            label="Email"
+            autocomplete="email"
+            required
+            phx-mounted={JS.focus()}
+          />
+          <.button class="btn btn-primary w-full">
+            Log in with email <span aria-hidden="true">→</span>
+          </.button>
+        </.form>
+
+        <div class="divider">or</div>
+
+        <.form
+          :let={f}
+          for={@form}
+          id="login_form_password"
+          action={~p"/users/log-in"}
+          phx-submit="submit_password"
+          phx-trigger-action={@trigger_submit}
+        >
+          <.input
+            readonly={!!@current_scope}
+            field={f[:email]}
+            type="email"
+            label="Email"
+            autocomplete="email"
+            required
+          />
+          <.input
+            field={@form[:password]}
+            type="password"
+            label="Password"
+            autocomplete="current-password"
+          />
+          <.button class="btn btn-primary w-full" name={@form[:remember_me].name} value="true">
+            Log in and stay logged in <span aria-hidden="true">→</span>
+          </.button>
+          <.button class="btn btn-primary btn-soft w-full mt-2">
+            Log in only this time
+          </.button>
+        </.form>
+      </div>
+    </Layouts.app>
+    """
+  end
+
+  @impl true
+  def mount(_params, _session, socket) do
+    email =
+      Phoenix.Flash.get(socket.assigns.flash, :email) ||
+        get_in(socket.assigns, [:current_scope, Access.key(:user), Access.key(:email)])
+
+    form = to_form(%{"email" => email}, as: "user")
+
+    {:ok, assign(socket, form: form, trigger_submit: false)}
+  end
+
+  @impl true
+  def handle_event("submit_password", _params, socket) do
+    {:noreply, assign(socket, :trigger_submit, true)}
+  end
+
+  def handle_event("submit_magic", %{"user" => %{"email" => email}}, socket) do
+    if user = Accounts.get_user_by_email(email) do
+      Accounts.deliver_login_instructions(
+        user,
+        &url(~p"/users/log-in/#{&1}")
+      )
+    end
+
+    info =
+      "If your email is in our system, you will receive instructions for logging in shortly."
+
+    {:noreply,
+     socket
+     |> put_flash(:info, info)
+     |> push_navigate(to: ~p"/users/log-in")}
+  end
+
+  defp local_mail_adapter? do
+    Application.get_env(:beet_round_server, BeetRoundServer.Mailer)[:adapter] == Swoosh.Adapters.Local
+  end
+end
diff --git a/lib/beet_round_server_web/live/user_live/registration.ex b/lib/beet_round_server_web/live/user_live/registration.ex
new file mode 100644
index 0000000..44cf707
--- /dev/null
+++ b/lib/beet_round_server_web/live/user_live/registration.ex
@@ -0,0 +1,88 @@
+defmodule BeetRoundServerWeb.UserLive.Registration do
+  use BeetRoundServerWeb, :live_view
+
+  alias BeetRoundServer.Accounts
+  alias BeetRoundServer.Accounts.User
+
+  @impl true
+  def render(assigns) do
+    ~H"""
+    <Layouts.app flash={@flash} current_scope={@current_scope}>
+      <div class="mx-auto max-w-sm">
+        <div class="text-center">
+          <.header>
+            Register for an account
+            <:subtitle>
+              Already registered?
+              <.link navigate={~p"/users/log-in"} class="font-semibold text-brand hover:underline">
+                Log in
+              </.link>
+              to your account now.
+            </:subtitle>
+          </.header>
+        </div>
+
+        <.form for={@form} id="registration_form" phx-submit="save" phx-change="validate">
+          <.input
+            field={@form[:email]}
+            type="email"
+            label="Email"
+            autocomplete="username"
+            required
+            phx-mounted={JS.focus()}
+          />
+
+          <.button phx-disable-with="Creating account..." class="btn btn-primary w-full">
+            Create an account
+          </.button>
+        </.form>
+      </div>
+    </Layouts.app>
+    """
+  end
+
+  @impl true
+  def mount(_params, _session, %{assigns: %{current_scope: %{user: user}}} = socket)
+      when not is_nil(user) do
+    {:ok, redirect(socket, to: BeetRoundServerWeb.UserAuth.signed_in_path(socket))}
+  end
+
+  def mount(_params, _session, socket) do
+    changeset = Accounts.change_user_email(%User{}, %{}, validate_unique: false)
+
+    {:ok, assign_form(socket, changeset), temporary_assigns: [form: nil]}
+  end
+
+  @impl true
+  def handle_event("save", %{"user" => user_params}, socket) do
+    case Accounts.register_user(user_params) do
+      {:ok, user} ->
+        {:ok, _} =
+          Accounts.deliver_login_instructions(
+            user,
+            &url(~p"/users/log-in/#{&1}")
+          )
+
+        {:noreply,
+         socket
+         |> put_flash(
+           :info,
+           "An email was sent to #{user.email}, please access it to confirm your account."
+         )
+         |> push_navigate(to: ~p"/users/log-in")}
+
+      {:error, %Ecto.Changeset{} = changeset} ->
+        {:noreply, assign_form(socket, changeset)}
+    end
+  end
+
+  def handle_event("validate", %{"user" => user_params}, socket) do
+    changeset = Accounts.change_user_email(%User{}, user_params, validate_unique: false)
+    {:noreply, assign_form(socket, Map.put(changeset, :action, :validate))}
+  end
+
+  defp assign_form(socket, %Ecto.Changeset{} = changeset) do
+    form = to_form(changeset, as: "user")
+    assign(socket, form: form)
+  end
+end
diff --git a/lib/beet_round_server_web/live/user_live/settings.ex b/lib/beet_round_server_web/live/user_live/settings.ex
new file mode 100644
index 0000000..2e49a8d
--- /dev/null
+++ b/lib/beet_round_server_web/live/user_live/settings.ex
@@ -0,0 +1,157 @@
+defmodule BeetRoundServerWeb.UserLive.Settings do
+  use BeetRoundServerWeb, :live_view
+
+  on_mount {BeetRoundServerWeb.UserAuth, :require_sudo_mode}
+
+  alias BeetRoundServer.Accounts
+
+  @impl true
+  def render(assigns) do
+    ~H"""
+    <Layouts.app flash={@flash} current_scope={@current_scope}>
+      <div class="text-center">
+        <.header>
+          Account Settings
+          <:subtitle>Manage your account email address and password settings</:subtitle>
+        </.header>
+      </div>
+
+      <.form for={@email_form} id="email_form" phx-submit="update_email" phx-change="validate_email">
+        <.input
+          field={@email_form[:email]}
+          type="email"
+          label="Email"
+          autocomplete="username"
+          required
+        />
+        <.button variant="primary" phx-disable-with="Changing...">Change Email</.button>
+      </.form>
+
+      <div class="divider" />
+
+      <.form
+        for={@password_form}
+        id="password_form"
+        action={~p"/users/update-password"}
+        method="post"
+        phx-change="validate_password"
+        phx-submit="update_password"
+        phx-trigger-action={@trigger_submit}
+      >
+        <input
+          name={@password_form[:email].name}
+          type="hidden"
+          id="hidden_user_email"
+          autocomplete="username"
+          value={@current_email}
+        />
+        <.input
+          field={@password_form[:password]}
+          type="password"
+          label="New password"
+          autocomplete="new-password"
+          required
+        />
+        <.input
+          field={@password_form[:password_confirmation]}
+          type="password"
+          label="Confirm new password"
+          autocomplete="new-password"
+        />
+        <.button variant="primary" phx-disable-with="Saving...">
+          Save Password
+        </.button>
+      </.form>
+    </Layouts.app>
+    """
+  end
+
+  @impl true
+  def mount(%{"token" => token}, _session, socket) do
+    socket =
+      case Accounts.update_user_email(socket.assigns.current_scope.user, token) do
+        {:ok, _user} ->
+          put_flash(socket, :info, "Email changed successfully.")
+
+        {:error, _} ->
+          put_flash(socket, :error, "Email change link is invalid or it has expired.")
+      end
+
+    {:ok, push_navigate(socket, to: ~p"/users/settings")}
+  end
+
+  def mount(_params, _session, socket) do
+    user = socket.assigns.current_scope.user
+    email_changeset = Accounts.change_user_email(user, %{}, validate_unique: false)
+    password_changeset = Accounts.change_user_password(user, %{}, hash_password: false)
+
+    socket =
+      socket
+      |> assign(:current_email, user.email)
+      |> assign(:email_form, to_form(email_changeset))
+      |> assign(:password_form, to_form(password_changeset))
+      |> assign(:trigger_submit, false)
+
+    {:ok, socket}
+  end
+
+  @impl true
+  def handle_event("validate_email", params, socket) do
+    %{"user" => user_params} = params
+
+    email_form =
+      socket.assigns.current_scope.user
+      |> Accounts.change_user_email(user_params, validate_unique: false)
+      |> Map.put(:action, :validate)
+      |> to_form()
+
+    {:noreply, assign(socket, email_form: email_form)}
+  end
+
+  def handle_event("update_email", params, socket) do
+    %{"user" => user_params} = params
+    user = socket.assigns.current_scope.user
+    true = Accounts.sudo_mode?(user)
+
+    case Accounts.change_user_email(user, user_params) do
+      %{valid?: true} = changeset ->
+        Accounts.deliver_user_update_email_instructions(
+          Ecto.Changeset.apply_action!(changeset, :insert),
+          user.email,
+          &url(~p"/users/settings/confirm-email/#{&1}")
+        )
+
+        info = "A link to confirm your email change has been sent to the new address."
+        {:noreply, socket |> put_flash(:info, info)}
+
+      changeset ->
+        {:noreply, assign(socket, :email_form, to_form(changeset, action: :insert))}
+    end
+  end
+
+  def handle_event("validate_password", params, socket) do
+    %{"user" => user_params} = params
+
+    password_form =
+      socket.assigns.current_scope.user
+      |> Accounts.change_user_password(user_params, hash_password: false)
+      |> Map.put(:action, :validate)
+      |> to_form()
+
+    {:noreply, assign(socket, password_form: password_form)}
+  end
+
+  def handle_event("update_password", params, socket) do
+    %{"user" => user_params} = params
+    user = socket.assigns.current_scope.user
+    true = Accounts.sudo_mode?(user)
+
+    case Accounts.change_user_password(user, user_params) do
+      %{valid?: true} = changeset ->
+        {:noreply, assign(socket, trigger_submit: true, password_form: to_form(changeset))}
+
+      changeset ->
+        {:noreply, assign(socket, password_form: to_form(changeset, action: :insert))}
+    end
+  end
+end
diff --git a/lib/beet_round_server_web/router.ex b/lib/beet_round_server_web/router.ex
index 514cd9c..0d56990 100644
--- a/lib/beet_round_server_web/router.ex
+++ b/lib/beet_round_server_web/router.ex
@@ -1,6 +1,8 @@
 defmodule BeetRoundServerWeb.Router do
   use BeetRoundServerWeb, :router
 
+  import BeetRoundServerWeb.UserAuth
+
   pipeline :browser do
     plug :accepts, ["html"]
     plug :fetch_session
@@ -8,6 +10,7 @@ defmodule BeetRoundServerWeb.Router do
     plug :put_root_layout, html: {BeetRoundServerWeb.Layouts, :root}
     plug :protect_from_forgery
     plug :put_secure_browser_headers
+    plug :fetch_current_scope_for_user
   end
 
   pipeline :api do
@@ -41,4 +44,32 @@ defmodule BeetRoundServerWeb.Router do
       forward "/mailbox", Plug.Swoosh.MailboxPreview
     end
   end
+
+  ## Authentication routes
+
+  scope "/", BeetRoundServerWeb do
+    pipe_through [:browser, :require_authenticated_user]
+
+    live_session :require_authenticated_user,
+      on_mount: [{BeetRoundServerWeb.UserAuth, :require_authenticated}] do
+      live "/users/settings", UserLive.Settings, :edit
+      live "/users/settings/confirm-email/:token", UserLive.Settings, :confirm_email
+    end
+
+    post "/users/update-password", UserSessionController, :update_password
+  end
+
+  scope "/", BeetRoundServerWeb do
+    pipe_through [:browser]
+
+    live_session :current_user,
+      on_mount: [{BeetRoundServerWeb.UserAuth, :mount_current_scope}] do
+      live "/users/register", UserLive.Registration, :new
+      live "/users/log-in", UserLive.Login, :new
+      live "/users/log-in/:token", UserLive.Confirmation, :new
+    end
+
+    post "/users/log-in", UserSessionController, :create
+    delete "/users/log-out", UserSessionController, :delete
+  end
 end
diff --git a/lib/beet_round_server_web/user_auth.ex b/lib/beet_round_server_web/user_auth.ex
new file mode 100644
index 0000000..343b204
--- /dev/null
+++ b/lib/beet_round_server_web/user_auth.ex
@@ -0,0 +1,287 @@
+defmodule BeetRoundServerWeb.UserAuth do
+  use BeetRoundServerWeb, :verified_routes
+
+  import Plug.Conn
+  import Phoenix.Controller
+
+  alias BeetRoundServer.Accounts
+  alias BeetRoundServer.Accounts.Scope
+
+  # Make the remember me cookie valid for 14 days. This should match
+  # the session validity setting in UserToken.
+  @max_cookie_age_in_days 14
+  @remember_me_cookie "_beet_round_server_web_user_remember_me"
+  @remember_me_options [
+    sign: true,
+    max_age: @max_cookie_age_in_days * 24 * 60 * 60,
+    same_site: "Lax"
+  ]
+
+  # How old the session token should be before a new one is issued. When a request is made
+  # with a session token older than this value, then a new session token will be created
+  # and the session and remember-me cookies (if set) will be updated with the new token.
+  # Lowering this value will result in more tokens being created by active users. Increasing
+  # it will result in less time before a session token expires for a user to get issued a new
+  # token. This can be set to a value greater than `@max_cookie_age_in_days` to disable
+  # the reissuing of tokens completely.
+  @session_reissue_age_in_days 7
+
+  @doc """
+  Logs the user in.
+
+  Redirects to the session's `:user_return_to` path
+  or falls back to the `signed_in_path/1`.
+  """
+  def log_in_user(conn, user, params \\ %{}) do
+    user_return_to = get_session(conn, :user_return_to)
+
+    conn
+    |> create_or_extend_session(user, params)
+    |> redirect(to: user_return_to || signed_in_path(conn))
+  end
+
+  @doc """
+  Logs the user out.
+
+  It clears all session data for safety. See renew_session.
+  """
+  def log_out_user(conn) do
+    user_token = get_session(conn, :user_token)
+    user_token && Accounts.delete_user_session_token(user_token)
+
+    if live_socket_id = get_session(conn, :live_socket_id) do
+      BeetRoundServerWeb.Endpoint.broadcast(live_socket_id, "disconnect", %{})
+    end
+
+    conn
+    |> renew_session(nil)
+    |> delete_resp_cookie(@remember_me_cookie)
+    |> redirect(to: ~p"/")
+  end
+
+  @doc """
+  Authenticates the user by looking into the session and remember me token.
+
+  Will reissue the session token if it is older than the configured age.
+  """
+  def fetch_current_scope_for_user(conn, _opts) do
+    with {token, conn} <- ensure_user_token(conn),
+         {user, token_inserted_at} <- Accounts.get_user_by_session_token(token) do
+      conn
+      |> assign(:current_scope, Scope.for_user(user))
+      |> maybe_reissue_user_session_token(user, token_inserted_at)
+    else
+      nil -> assign(conn, :current_scope, Scope.for_user(nil))
+    end
+  end
+
+  defp ensure_user_token(conn) do
+    if token = get_session(conn, :user_token) do
+      {token, conn}
+    else
+      conn = fetch_cookies(conn, signed: [@remember_me_cookie])
+
+      if token = conn.cookies[@remember_me_cookie] do
+        {token, conn |> put_token_in_session(token) |> put_session(:user_remember_me, true)}
+      else
+        nil
+      end
+    end
+  end
+
+  # Reissue the session token if it is older than the configured reissue age.
+  defp maybe_reissue_user_session_token(conn, user, token_inserted_at) do
+    token_age = DateTime.diff(DateTime.utc_now(:second), token_inserted_at, :day)
+
+    if token_age >= @session_reissue_age_in_days do
+      create_or_extend_session(conn, user, %{})
+    else
+      conn
+    end
+  end
+
+  # This function is the one responsible for creating session tokens
+  # and storing them safely in the session and cookies. It may be called
+  # either when logging in, during sudo mode, or to renew a session which
+  # will soon expire.
+  #
+  # When the session is created, rather than extended, the renew_session
+  # function will clear the session to avoid fixation attacks. See the
+  # renew_session function to customize this behaviour.
+  defp create_or_extend_session(conn, user, params) do
+    token = Accounts.generate_user_session_token(user)
+    remember_me = get_session(conn, :user_remember_me)
+
+    conn
+    |> renew_session(user)
+    |> put_token_in_session(token)
+    |> maybe_write_remember_me_cookie(token, params, remember_me)
+  end
+
+  # Do not renew session if the user is already logged in
+  # to prevent CSRF errors or data being lost in tabs that are still open
+  defp renew_session(conn, user) when conn.assigns.current_scope.user.id == user.id do
+    conn
+  end
+
+  # This function renews the session ID and erases the whole
+  # session to avoid fixation attacks. If there is any data
+  # in the session you may want to preserve after log in/log out,
+  # you must explicitly fetch the session data before clearing
+  # and then immediately set it after clearing, for example:
+  #
+  #     defp renew_session(conn, _user) do
+  #       delete_csrf_token()
+  #       preferred_locale = get_session(conn, :preferred_locale)
+  #
+  #       conn
+  #       |> configure_session(renew: true)
+  #       |> clear_session()
+  #       |> put_session(:preferred_locale, preferred_locale)
+  #     end
+  #
+  defp renew_session(conn, _user) do
+    delete_csrf_token()
+
+    conn
+    |> configure_session(renew: true)
+    |> clear_session()
+  end
+
+  defp maybe_write_remember_me_cookie(conn, token, %{"remember_me" => "true"}, _),
+    do: write_remember_me_cookie(conn, token)
+
+  defp maybe_write_remember_me_cookie(conn, token, _params, true),
+    do: write_remember_me_cookie(conn, token)
+
+  defp maybe_write_remember_me_cookie(conn, _token, _params, _), do: conn
+
+  defp write_remember_me_cookie(conn, token) do
+    conn
+    |> put_session(:user_remember_me, true)
+    |> put_resp_cookie(@remember_me_cookie, token, @remember_me_options)
+  end
+
+  defp put_token_in_session(conn, token) do
+    conn
+    |> put_session(:user_token, token)
+    |> put_session(:live_socket_id, user_session_topic(token))
+  end
+
+  @doc """
+  Disconnects existing sockets for the given tokens.
+  """
+  def disconnect_sessions(tokens) do
+    Enum.each(tokens, fn %{token: token} ->
+      BeetRoundServerWeb.Endpoint.broadcast(user_session_topic(token), "disconnect", %{})
+    end)
+  end
+
+  defp user_session_topic(token), do: "users_sessions:#{Base.url_encode64(token)}"
+
+  @doc """
+  Handles mounting and authenticating the current_scope in LiveViews.
+
+  ## `on_mount` arguments
+
+    * `:mount_current_scope` - Assigns current_scope
+      to socket assigns based on user_token, or nil if
+      there's no user_token or no matching user.
+
+    * `:require_authenticated` - Authenticates the user from the session,
+      and assigns the current_scope to socket assigns based
+      on user_token.
+      Redirects to login page if there's no logged user.
+
+  ## Examples
+
+  Use the `on_mount` lifecycle macro in LiveViews to mount or authenticate
+  the `current_scope`:
+
+      defmodule BeetRoundServerWeb.PageLive do
+        use BeetRoundServerWeb, :live_view
+
+        on_mount {BeetRoundServerWeb.UserAuth, :mount_current_scope}
+        ...
+      end
+
+  Or use the `live_session` of your router to invoke the on_mount callback:
+
+      live_session :authenticated, on_mount: [{BeetRoundServerWeb.UserAuth, :require_authenticated}] do
+        live "/profile", ProfileLive, :index
+      end
+  """
+  def on_mount(:mount_current_scope, _params, session, socket) do
+    {:cont, mount_current_scope(socket, session)}
+  end
+
+  def on_mount(:require_authenticated, _params, session, socket) do
+    socket = mount_current_scope(socket, session)
+
+    if socket.assigns.current_scope && socket.assigns.current_scope.user do
+      {:cont, socket}
+    else
+      socket =
+        socket
+        |> Phoenix.LiveView.put_flash(:error, "You must log in to access this page.")
+        |> Phoenix.LiveView.redirect(to: ~p"/users/log-in")
+
+      {:halt, socket}
+    end
+  end
+
+  def on_mount(:require_sudo_mode, _params, session, socket) do
+    socket = mount_current_scope(socket, session)
+
+    if Accounts.sudo_mode?(socket.assigns.current_scope.user, -10) do
+      {:cont, socket}
+    else
+      socket =
+        socket
+        |> Phoenix.LiveView.put_flash(:error, "You must re-authenticate to access this page.")
+        |> Phoenix.LiveView.redirect(to: ~p"/users/log-in")
+
+      {:halt, socket}
+    end
+  end
+
+  defp mount_current_scope(socket, session) do
+    Phoenix.Component.assign_new(socket, :current_scope, fn ->
+      {user, _} =
+        if user_token = session["user_token"] do
+          Accounts.get_user_by_session_token(user_token)
+        end || {nil, nil}
+
+      Scope.for_user(user)
+    end)
+  end
+
+  @doc "Returns the path to redirect to after log in."
+  # the user was already logged in, redirect to settings
+  def signed_in_path(%Plug.Conn{assigns: %{current_scope: %Scope{user: %Accounts.User{}}}}) do
+    ~p"/users/settings"
+  end
+
+  def signed_in_path(_), do: ~p"/"
+
+  @doc """
+  Plug for routes that require the user to be authenticated.
+  """
+  def require_authenticated_user(conn, _opts) do
+    if conn.assigns.current_scope && conn.assigns.current_scope.user do
+      conn
+    else
+      conn
+      |> put_flash(:error, "You must log in to access this page.")
+      |> maybe_store_return_to()
+      |> redirect(to: ~p"/users/log-in")
+      |> halt()
+    end
+  end
+
+  defp maybe_store_return_to(%{method: "GET"} = conn) do
+    put_session(conn, :user_return_to, current_path(conn))
+  end
+
+  defp maybe_store_return_to(conn), do: conn
+end
diff --git a/mix.exs b/mix.exs
index e0bc17d..e33adc6 100644
--- a/mix.exs
+++ b/mix.exs
@@ -40,6 +40,7 @@ defmodule BeetRoundServer.MixProject do
   # Type `mix help deps` for examples and options.
   defp deps do
     [
+      {:bcrypt_elixir, "~> 3.0"},
       {:phoenix, "~> 1.8.0"},
       {:phoenix_ecto, "~> 4.5"},
       {:ecto_sql, "~> 3.13"},
diff --git a/mix.lock b/mix.lock
index cde09b7..8a43846 100644
--- a/mix.lock
+++ b/mix.lock
@@ -1,6 +1,8 @@
 %{
   "bandit": {:hex, :bandit, "1.10.1", "6b1f8609d947ae2a74da5bba8aee938c94348634e54e5625eef622ca0bbbb062", [:mix], [{:hpax, "~> 1.0", [hex: :hpax, repo: "hexpm", optional: false]}, {:plug, "~> 1.18", [hex: :plug, repo: "hexpm", optional: false]}, {:telemetry, "~> 0.4 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}, {:thousand_island, "~> 1.0", [hex: :thousand_island, repo: "hexpm", optional: false]}, {:websock, "~> 0.5", [hex: :websock, repo: "hexpm", optional: false]}], "hexpm", "4b4c35f273030e44268ace53bf3d5991dfc385c77374244e2f960876547671aa"},
+  "bcrypt_elixir": {:hex, :bcrypt_elixir, "3.3.2", "d50091e3c9492d73e17fc1e1619a9b09d6a5ef99160eb4d736926fd475a16ca3", [:make, :mix], [{:comeonin, "~> 5.3", [hex: :comeonin, repo: "hexpm", optional: false]}, {:elixir_make, "~> 0.6", [hex: :elixir_make, repo: "hexpm", optional: false]}], "hexpm", "471be5151874ae7931911057d1467d908955f93554f7a6cd1b7d804cac8cef53"},
   "cc_precompiler": {:hex, :cc_precompiler, "0.1.11", "8c844d0b9fb98a3edea067f94f616b3f6b29b959b6b3bf25fee94ffe34364768", [:mix], [{:elixir_make, "~> 0.7", [hex: :elixir_make, repo: "hexpm", optional: false]}], "hexpm", "3427232caf0835f94680e5bcf082408a70b48ad68a5f5c0b02a3bea9f3a075b9"},
+  "comeonin": {:hex, :comeonin, "5.5.1", "5113e5f3800799787de08a6e0db307133850e635d34e9fab23c70b6501669510", [:mix], [], "hexpm", "65aac8f19938145377cee73973f192c5645873dcf550a8a6b18187d17c13ccdb"},
   "db_connection": {:hex, :db_connection, "2.9.0", "a6a97c5c958a2d7091a58a9be40caf41ab496b0701d21e1d1abff3fa27a7f371", [:mix], [{:telemetry, "~> 0.4 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "17d502eacaf61829db98facf6f20808ed33da6ccf495354a41e64fe42f9c509c"},
   "decimal": {:hex, :decimal, "2.3.0", "3ad6255aa77b4a3c4f818171b12d237500e63525c2fd056699967a3e7ea20f62", [:mix], [], "hexpm", "a4d66355cb29cb47c3cf30e71329e58361cfcb37c34235ef3bf1d7bf3773aeac"},
   "dns_cluster": {:hex, :dns_cluster, "0.2.0", "aa8eb46e3bd0326bd67b84790c561733b25c5ba2fe3c7e36f28e88f384ebcb33", [:mix], [], "hexpm", "ba6f1893411c69c01b9e8e8f772062535a4cf70f3f35bcc964a324078d8c8240"},
diff --git a/priv/repo/migrations/20260120133604_create_users_auth_tables.exs b/priv/repo/migrations/20260120133604_create_users_auth_tables.exs
new file mode 100644
index 0000000..c6c531f
--- /dev/null
+++ b/priv/repo/migrations/20260120133604_create_users_auth_tables.exs
@@ -0,0 +1,32 @@
+defmodule BeetRoundServer.Repo.Migrations.CreateUsersAuthTables do
+  use Ecto.Migration
+
+  def change do
+    execute "CREATE EXTENSION IF NOT EXISTS citext", ""
+
+    create table(:users, primary_key: false) do
+      add :id, :binary_id, primary_key: true
+      add :email, :citext, null: false
+      add :hashed_password, :string
+      add :confirmed_at, :utc_datetime
+
+      timestamps(type: :utc_datetime)
+    end
+
+    create unique_index(:users, [:email])
+
+    create table(:users_tokens, primary_key: false) do
+      add :id, :binary_id, primary_key: true
+      add :user_id, references(:users, type: :binary_id, on_delete: :delete_all), null: false
+      add :token, :binary, null: false
+      add :context, :string, null: false
+      add :sent_to, :string
+      add :authenticated_at, :utc_datetime
+
+      timestamps(type: :utc_datetime, updated_at: false)
+    end
+
+    create index(:users_tokens, [:user_id])
+    create unique_index(:users_tokens, [:context, :token])
+  end
+end
diff --git a/test/beet_round_server/accounts_test.exs b/test/beet_round_server/accounts_test.exs
new file mode 100644
index 0000000..3f0ac39
--- /dev/null
+++ b/test/beet_round_server/accounts_test.exs
@@ -0,0 +1,397 @@
+defmodule BeetRoundServer.AccountsTest do
+  use BeetRoundServer.DataCase
+
+  alias BeetRoundServer.Accounts
+
+  import BeetRoundServer.AccountsFixtures
+  alias BeetRoundServer.Accounts.{User, UserToken}
+
+  describe "get_user_by_email/1" do
+    test "does not return the user if the email does not exist" do
+      refute Accounts.get_user_by_email("unknown@example.com")
+    end
+
+    test "returns the user if the email exists" do
+      %{id: id} = user = user_fixture()
+      assert %User{id: ^id} = Accounts.get_user_by_email(user.email)
+    end
+  end
+
+  describe "get_user_by_email_and_password/2" do
+    test "does not return the user if the email does not exist" do
+      refute Accounts.get_user_by_email_and_password("unknown@example.com", "hello world!")
+    end
+
+    test "does not return the user if the password is not valid" do
+      user = user_fixture() |> set_password()
+      refute Accounts.get_user_by_email_and_password(user.email, "invalid")
+    end
+
+    test "returns the user if the email and password are valid" do
+      %{id: id} = user = user_fixture() |> set_password()
+
+      assert %User{id: ^id} =
+               Accounts.get_user_by_email_and_password(user.email, valid_user_password())
+    end
+  end
+
+  describe "get_user!/1" do
+    test "raises if id is invalid" do
+      assert_raise Ecto.NoResultsError, fn ->
+        Accounts.get_user!("11111111-1111-1111-1111-111111111111")
+      end
+    end
+
+    test "returns the user with the given id" do
+      %{id: id} = user = user_fixture()
+      assert %User{id: ^id} = Accounts.get_user!(user.id)
+    end
+  end
+
+  describe "register_user/1" do
+    test "requires email to be set" do
+      {:error, changeset} = Accounts.register_user(%{})
+
+      assert %{email: ["can't be blank"]} = errors_on(changeset)
+    end
+
+    test "validates email when given" do
+      {:error, changeset} = Accounts.register_user(%{email: "not valid"})
+
+      assert %{email: ["must have the @ sign and no spaces"]} = errors_on(changeset)
+    end
+
+    test "validates maximum values for email for security" do
+      too_long = String.duplicate("db", 100)
+      {:error, changeset} = Accounts.register_user(%{email: too_long})
+      assert "should be at most 160 character(s)" in errors_on(changeset).email
+    end
+
+    test "validates email uniqueness" do
+      %{email: email} = user_fixture()
+      {:error, changeset} = Accounts.register_user(%{email: email})
+      assert "has already been taken" in errors_on(changeset).email
+
+      # Now try with the uppercased email too, to check that email case is ignored.
+      {:error, changeset} = Accounts.register_user(%{email: String.upcase(email)})
+      assert "has already been taken" in errors_on(changeset).email
+    end
+
+    test "registers users without password" do
+      email = unique_user_email()
+      {:ok, user} = Accounts.register_user(valid_user_attributes(email: email))
+      assert user.email == email
+      assert is_nil(user.hashed_password)
+      assert is_nil(user.confirmed_at)
+      assert is_nil(user.password)
+    end
+  end
+
+  describe "sudo_mode?/2" do
+    test "validates the authenticated_at time" do
+      now = DateTime.utc_now()
+
+      assert Accounts.sudo_mode?(%User{authenticated_at: DateTime.utc_now()})
+      assert Accounts.sudo_mode?(%User{authenticated_at: DateTime.add(now, -19, :minute)})
+      refute Accounts.sudo_mode?(%User{authenticated_at: DateTime.add(now, -21, :minute)})
+
+      # minute override
+      refute Accounts.sudo_mode?(
+               %User{authenticated_at: DateTime.add(now, -11, :minute)},
+               -10
+             )
+
+      # not authenticated
+      refute Accounts.sudo_mode?(%User{})
+    end
+  end
+
+  describe "change_user_email/3" do
+    test "returns a user changeset" do
+      assert %Ecto.Changeset{} = changeset = Accounts.change_user_email(%User{})
+      assert changeset.required == [:email]
+    end
+  end
+
+  describe "deliver_user_update_email_instructions/3" do
+    setup do
+      %{user: user_fixture()}
+    end
+
+    test "sends token through notification", %{user: user} do
+      token =
+        extract_user_token(fn url ->
+          Accounts.deliver_user_update_email_instructions(user, "current@example.com", url)
+        end)
+
+      {:ok, token} = Base.url_decode64(token, padding: false)
+      assert user_token = Repo.get_by(UserToken, token: :crypto.hash(:sha256, token))
+      assert user_token.user_id == user.id
+      assert user_token.sent_to == user.email
+      assert user_token.context == "change:current@example.com"
+    end
+  end
+
+  describe "update_user_email/2" do
+    setup do
+      user = unconfirmed_user_fixture()
+      email = unique_user_email()
+
+      token =
+        extract_user_token(fn url ->
+          Accounts.deliver_user_update_email_instructions(%{user | email: email}, user.email, url)
+        end)
+
+      %{user: user, token: token, email: email}
+    end
+
+    test "updates the email with a valid token", %{user: user, token: token, email: email} do
+      assert {:ok, %{email: ^email}} = Accounts.update_user_email(user, token)
+      changed_user = Repo.get!(User, user.id)
+      assert changed_user.email != user.email
+      assert changed_user.email == email
+      refute Repo.get_by(UserToken, user_id: user.id)
+    end
+
+    test "does not update email with invalid token", %{user: user} do
+      assert Accounts.update_user_email(user, "oops") ==
+               {:error, :transaction_aborted}
+
+      assert Repo.get!(User, user.id).email == user.email
+      assert Repo.get_by(UserToken, user_id: user.id)
+    end
+
+    test "does not update email if user email changed", %{user: user, token: token} do
+      assert Accounts.update_user_email(%{user | email: "current@example.com"}, token) ==
+               {:error, :transaction_aborted}
+
+      assert Repo.get!(User, user.id).email == user.email
+      assert Repo.get_by(UserToken, user_id: user.id)
+    end
+
+    test "does not update email if token expired", %{user: user, token: token} do
+      {1, nil} = Repo.update_all(UserToken, set: [inserted_at: ~N[2020-01-01 00:00:00]])
+
+      assert Accounts.update_user_email(user, token) ==
+               {:error, :transaction_aborted}
+
+      assert Repo.get!(User, user.id).email == user.email
+      assert Repo.get_by(UserToken, user_id: user.id)
+    end
+  end
+
+  describe "change_user_password/3" do
+    test "returns a user changeset" do
+      assert %Ecto.Changeset{} = changeset = Accounts.change_user_password(%User{})
+      assert changeset.required == [:password]
+    end
+
+    test "allows fields to be set" do
+      changeset =
+        Accounts.change_user_password(
+          %User{},
+          %{
+            "password" => "new valid password"
+          },
+          hash_password: false
+        )
+
+      assert changeset.valid?
+      assert get_change(changeset, :password) == "new valid password"
+      assert is_nil(get_change(changeset, :hashed_password))
+    end
+  end
+
+  describe "update_user_password/2" do
+    setup do
+      %{user: user_fixture()}
+    end
+
+    test "validates password", %{user: user} do
+      {:error, changeset} =
+        Accounts.update_user_password(user, %{
+          password: "not valid",
+          password_confirmation: "another"
+        })
+
+      assert %{
+               password: ["should be at least 12 character(s)"],
+               password_confirmation: ["does not match password"]
+             } = errors_on(changeset)
+    end
+
+    test "validates maximum values for password for security", %{user: user} do
+      too_long = String.duplicate("db", 100)
+
+      {:error, changeset} =
+        Accounts.update_user_password(user, %{password: too_long})
+
+      assert "should be at most 72 character(s)" in errors_on(changeset).password
+    end
+
+    test "updates the password", %{user: user} do
+      {:ok, {user, expired_tokens}} =
+        Accounts.update_user_password(user, %{
+          password: "new valid password"
+        })
+
+      assert expired_tokens == []
+      assert is_nil(user.password)
+      assert Accounts.get_user_by_email_and_password(user.email, "new valid password")
+    end
+
+    test "deletes all tokens for the given user", %{user: user} do
+      _ = Accounts.generate_user_session_token(user)
+
+      {:ok, {_, _}} =
+        Accounts.update_user_password(user, %{
+          password: "new valid password"
+        })
+
+      refute Repo.get_by(UserToken, user_id: user.id)
+    end
+  end
+
+  describe "generate_user_session_token/1" do
+    setup do
+      %{user: user_fixture()}
+    end
+
+    test "generates a token", %{user: user} do
+      token = Accounts.generate_user_session_token(user)
+      assert user_token = Repo.get_by(UserToken, token: token)
+      assert user_token.context == "session"
+      assert user_token.authenticated_at != nil
+
+      # Creating the same token for another user should fail
+      assert_raise Ecto.ConstraintError, fn ->
+        Repo.insert!(%UserToken{
+          token: user_token.token,
+          user_id: user_fixture().id,
+          context: "session"
+        })
+      end
+    end
+
+    test "duplicates the authenticated_at of given user in new token", %{user: user} do
+      user = %{user | authenticated_at: DateTime.add(DateTime.utc_now(:second), -3600)}
+      token = Accounts.generate_user_session_token(user)
+      assert user_token = Repo.get_by(UserToken, token: token)
+      assert user_token.authenticated_at == user.authenticated_at
+      assert DateTime.compare(user_token.inserted_at, user.authenticated_at) == :gt
+    end
+  end
+
+  describe "get_user_by_session_token/1" do
+    setup do
+      user = user_fixture()
+      token = Accounts.generate_user_session_token(user)
+      %{user: user, token: token}
+    end
+
+    test "returns user by token", %{user: user, token: token} do
+      assert {session_user, token_inserted_at} = Accounts.get_user_by_session_token(token)
+      assert session_user.id == user.id
+      assert session_user.authenticated_at != nil
+      assert token_inserted_at != nil
+    end
+
+    test "does not return user for invalid token" do
+      refute Accounts.get_user_by_session_token("oops")
+    end
+
+    test "does not return user for expired token", %{token: token} do
+      dt = ~N[2020-01-01 00:00:00]
+      {1, nil} = Repo.update_all(UserToken, set: [inserted_at: dt, authenticated_at: dt])
+      refute Accounts.get_user_by_session_token(token)
+    end
+  end
+
+  describe "get_user_by_magic_link_token/1" do
+    setup do
+      user = user_fixture()
+      {encoded_token, _hashed_token} = generate_user_magic_link_token(user)
+      %{user: user, token: encoded_token}
+    end
+
+    test "returns user by token", %{user: user, token: token} do
+      assert session_user = Accounts.get_user_by_magic_link_token(token)
+      assert session_user.id == user.id
+    end
+
+    test "does not return user for invalid token" do
+      refute Accounts.get_user_by_magic_link_token("oops")
+    end
+
+    test "does not return user for expired token", %{token: token} do
+      {1, nil} = Repo.update_all(UserToken, set: [inserted_at: ~N[2020-01-01 00:00:00]])
+      refute Accounts.get_user_by_magic_link_token(token)
+    end
+  end
+
+  describe "login_user_by_magic_link/1" do
+    test "confirms user and expires tokens" do
+      user = unconfirmed_user_fixture()
+      refute user.confirmed_at
+      {encoded_token, hashed_token} = generate_user_magic_link_token(user)
+
+      assert {:ok, {user, [%{token: ^hashed_token}]}} =
+               Accounts.login_user_by_magic_link(encoded_token)
+
+      assert user.confirmed_at
+    end
+
+    test "returns user and (deleted) token for confirmed user" do
+      user = user_fixture()
+      assert user.confirmed_at
+      {encoded_token, _hashed_token} = generate_user_magic_link_token(user)
+      assert {:ok, {^user, []}} = Accounts.login_user_by_magic_link(encoded_token)
+      # one time use only
+      assert {:error, :not_found} = Accounts.login_user_by_magic_link(encoded_token)
+    end
+
+    test "raises when unconfirmed user has password set" do
+      user = unconfirmed_user_fixture()
+      {1, nil} = Repo.update_all(User, set: [hashed_password: "hashed"])
+      {encoded_token, _hashed_token} = generate_user_magic_link_token(user)
+
+      assert_raise RuntimeError, ~r/magic link log in is not allowed/, fn ->
+        Accounts.login_user_by_magic_link(encoded_token)
+      end
+    end
+  end
+
+  describe "delete_user_session_token/1" do
+    test "deletes the token" do
+      user = user_fixture()
+      token = Accounts.generate_user_session_token(user)
+      assert Accounts.delete_user_session_token(token) == :ok
+      refute Accounts.get_user_by_session_token(token)
+    end
+  end
+
+  describe "deliver_login_instructions/2" do
+    setup do
+      %{user: unconfirmed_user_fixture()}
+    end
+
+    test "sends token through notification", %{user: user} do
+      token =
+        extract_user_token(fn url ->
+          Accounts.deliver_login_instructions(user, url)
+        end)
+
+      {:ok, token} = Base.url_decode64(token, padding: false)
+      assert user_token = Repo.get_by(UserToken, token: :crypto.hash(:sha256, token))
+      assert user_token.user_id == user.id
+      assert user_token.sent_to == user.email
+      assert user_token.context == "login"
+    end
+  end
+
+  describe "inspect/2 for the User module" do
+    test "does not include password" do
+      refute inspect(%User{password: "123456"}) =~ "password: \"123456\""
+    end
+  end
+end
diff --git a/test/beet_round_server_web/controllers/user_session_controller_test.exs b/test/beet_round_server_web/controllers/user_session_controller_test.exs
new file mode 100644
index 0000000..ee09e64
--- /dev/null
+++ b/test/beet_round_server_web/controllers/user_session_controller_test.exs
@@ -0,0 +1,147 @@
+defmodule BeetRoundServerWeb.UserSessionControllerTest do
+  use BeetRoundServerWeb.ConnCase, async: true
+
+  import BeetRoundServer.AccountsFixtures
+  alias BeetRoundServer.Accounts
+
+  setup do
+    %{unconfirmed_user: unconfirmed_user_fixture(), user: user_fixture()}
+  end
+
+  describe "POST /users/log-in - email and password" do
+    test "logs the user in", %{conn: conn, user: user} do
+      user = set_password(user)
+
+      conn =
+        post(conn, ~p"/users/log-in", %{
+          "user" => %{"email" => user.email, "password" => valid_user_password()}
+        })
+
+      assert get_session(conn, :user_token)
+      assert redirected_to(conn) == ~p"/"
+
+      # Now do a logged in request and assert on the menu
+      conn = get(conn, ~p"/")
+      response = html_response(conn, 200)
+      assert response =~ user.email
+      assert response =~ ~p"/users/settings"
+      assert response =~ ~p"/users/log-out"
+    end
+
+    test "logs the user in with remember me", %{conn: conn, user: user} do
+      user = set_password(user)
+
+      conn =
+        post(conn, ~p"/users/log-in", %{
+          "user" => %{
+            "email" => user.email,
+            "password" => valid_user_password(),
+            "remember_me" => "true"
+          }
+        })
+
+      assert conn.resp_cookies["_beet_round_server_web_user_remember_me"]
+      assert redirected_to(conn) == ~p"/"
+    end
+
+    test "logs the user in with return to", %{conn: conn, user: user} do
+      user = set_password(user)
+
+      conn =
+        conn
+        |> init_test_session(user_return_to: "/foo/bar")
+        |> post(~p"/users/log-in", %{
+          "user" => %{
+            "email" => user.email,
+            "password" => valid_user_password()
+          }
+        })
+
+      assert redirected_to(conn) == "/foo/bar"
+      assert Phoenix.Flash.get(conn.assigns.flash, :info) =~ "Welcome back!"
+    end
+
+    test "redirects to login page with invalid credentials", %{conn: conn, user: user} do
+      conn =
+        post(conn, ~p"/users/log-in?mode=password", %{
+          "user" => %{"email" => user.email, "password" => "invalid_password"}
+        })
+
+      assert Phoenix.Flash.get(conn.assigns.flash, :error) == "Invalid email or password"
+      assert redirected_to(conn) == ~p"/users/log-in"
+    end
+  end
+
+  describe "POST /users/log-in - magic link" do
+    test "logs the user in", %{conn: conn, user: user} do
+      {token, _hashed_token} = generate_user_magic_link_token(user)
+
+      conn =
+        post(conn, ~p"/users/log-in", %{
+          "user" => %{"token" => token}
+        })
+
+      assert get_session(conn, :user_token)
+      assert redirected_to(conn) == ~p"/"
+
+      # Now do a logged in request and assert on the menu
+      conn = get(conn, ~p"/")
+      response = html_response(conn, 200)
+      assert response =~ user.email
+      assert response =~ ~p"/users/settings"
+      assert response =~ ~p"/users/log-out"
+    end
+
+    test "confirms unconfirmed user", %{conn: conn, unconfirmed_user: user} do
+      {token, _hashed_token} = generate_user_magic_link_token(user)
+      refute user.confirmed_at
+
+      conn =
+        post(conn, ~p"/users/log-in", %{
+          "user" => %{"token" => token},
+          "_action" => "confirmed"
+        })
+
+      assert get_session(conn, :user_token)
+      assert redirected_to(conn) == ~p"/"
+      assert Phoenix.Flash.get(conn.assigns.flash, :info) =~ "User confirmed successfully."
+
+      assert Accounts.get_user!(user.id).confirmed_at
+
+      # Now do a logged in request and assert on the menu
+      conn = get(conn, ~p"/")
+      response = html_response(conn, 200)
+      assert response =~ user.email
+      assert response =~ ~p"/users/settings"
+      assert response =~ ~p"/users/log-out"
+    end
+
+    test "redirects to login page when magic link is invalid", %{conn: conn} do
+      conn =
+        post(conn, ~p"/users/log-in", %{
+          "user" => %{"token" => "invalid"}
+        })
+
+      assert Phoenix.Flash.get(conn.assigns.flash, :error) ==
+               "The link is invalid or it has expired."
+
+      assert redirected_to(conn) == ~p"/users/log-in"
+    end
+  end
+
+  describe "DELETE /users/log-out" do
+    test "logs the user out", %{conn: conn, user: user} do
+      conn = conn |> log_in_user(user) |> delete(~p"/users/log-out")
+      assert redirected_to(conn) == ~p"/"
+      refute get_session(conn, :user_token)
+      assert Phoenix.Flash.get(conn.assigns.flash, :info) =~ "Logged out successfully"
+    end
+
+    test "succeeds even if the user is not logged in", %{conn: conn} do
+      conn = delete(conn, ~p"/users/log-out")
+      assert redirected_to(conn) == ~p"/"
+      refute get_session(conn, :user_token)
+      assert Phoenix.Flash.get(conn.assigns.flash, :info) =~ "Logged out successfully"
+    end
+  end
+end
diff --git a/test/beet_round_server_web/live/user_live/confirmation_test.exs b/test/beet_round_server_web/live/user_live/confirmation_test.exs
new file mode 100644
index 0000000..b4678df
--- /dev/null
+++ b/test/beet_round_server_web/live/user_live/confirmation_test.exs
@@ -0,0 +1,118 @@
+defmodule BeetRoundServerWeb.UserLive.ConfirmationTest do
+  use BeetRoundServerWeb.ConnCase, async: true
+
+  import Phoenix.LiveViewTest
+  import BeetRoundServer.AccountsFixtures
+
+  alias BeetRoundServer.Accounts
+
+  setup do
+    %{unconfirmed_user: unconfirmed_user_fixture(), confirmed_user: user_fixture()}
+  end
+
+  describe "Confirm user" do
+    test "renders confirmation page for unconfirmed user", %{conn: conn, unconfirmed_user: user} do
+      token =
+        extract_user_token(fn url ->
+          Accounts.deliver_login_instructions(user, url)
+        end)
+
+      {:ok, _lv, html} = live(conn, ~p"/users/log-in/#{token}")
+      assert html =~ "Confirm and stay logged in"
+    end
+
+    test "renders login page for confirmed user", %{conn: conn, confirmed_user: user} do
+      token =
+        extract_user_token(fn url ->
+          Accounts.deliver_login_instructions(user, url)
+        end)
+
+      {:ok, _lv, html} = live(conn, ~p"/users/log-in/#{token}")
+      refute html =~ "Confirm my account"
+      assert html =~ "Keep me logged in on this device"
+    end
+
+    test "renders login page for already logged in user", %{conn: conn, confirmed_user: user} do
+      conn = log_in_user(conn, user)
+
+      token =
+        extract_user_token(fn url ->
+          Accounts.deliver_login_instructions(user, url)
+        end)
+
+      {:ok, _lv, html} = live(conn, ~p"/users/log-in/#{token}")
+      refute html =~ "Confirm my account"
+      assert html =~ "Log in"
+    end
+
+    test "confirms the given token once", %{conn: conn, unconfirmed_user: user} do
+      token =
+        extract_user_token(fn url ->
+          Accounts.deliver_login_instructions(user, url)
+        end)
+
+      {:ok, lv, _html} = live(conn, ~p"/users/log-in/#{token}")
+
+      form = form(lv, "#confirmation_form", %{"user" => %{"token" => token}})
+      render_submit(form)
+
+      conn = follow_trigger_action(form, conn)
+
+      assert Phoenix.Flash.get(conn.assigns.flash, :info) =~
+               "User confirmed successfully"
+
+      assert Accounts.get_user!(user.id).confirmed_at
+      # we are logged in now
+      assert get_session(conn, :user_token)
+      assert redirected_to(conn) == ~p"/"
+
+      # log out, new conn
+      conn = build_conn()
+
+      {:ok, _lv, html} =
+        live(conn, ~p"/users/log-in/#{token}")
+        |> follow_redirect(conn, ~p"/users/log-in")
+
+      assert html =~ "Magic link is invalid or it has expired"
+    end
+
+    test "logs confirmed user in without changing confirmed_at", %{
+      conn: conn,
+      confirmed_user: user
+    } do
+      token =
+        extract_user_token(fn url ->
+          Accounts.deliver_login_instructions(user, url)
+        end)
+
+      {:ok, lv, _html} = live(conn, ~p"/users/log-in/#{token}")
+
+      form = form(lv, "#login_form", %{"user" => %{"token" => token}})
+      render_submit(form)
+
+      conn = follow_trigger_action(form, conn)
+
+      assert Phoenix.Flash.get(conn.assigns.flash, :info) =~
+               "Welcome back!"
+
+      assert Accounts.get_user!(user.id).confirmed_at == user.confirmed_at
+
+      # log out, new conn
+      conn = build_conn()
+
+      {:ok, _lv, html} =
+        live(conn, ~p"/users/log-in/#{token}")
+        |> follow_redirect(conn, ~p"/users/log-in")
+
+      assert html =~ "Magic link is invalid or it has expired"
+    end
+
+    test "raises error for invalid token", %{conn: conn} do
+      {:ok, _lv, html} =
+        live(conn, ~p"/users/log-in/invalid-token")
+        |> follow_redirect(conn, ~p"/users/log-in")
+
+      assert html =~ "Magic link is invalid or it has expired"
+    end
+  end
+end
diff --git a/test/beet_round_server_web/live/user_live/login_test.exs b/test/beet_round_server_web/live/user_live/login_test.exs
new file mode 100644
index 0000000..877826c
--- /dev/null
+++ b/test/beet_round_server_web/live/user_live/login_test.exs
@@ -0,0 +1,109 @@
+defmodule BeetRoundServerWeb.UserLive.LoginTest do
+  use BeetRoundServerWeb.ConnCase, async: true
+
+  import Phoenix.LiveViewTest
+  import BeetRoundServer.AccountsFixtures
+
+  describe "login page" do
+    test "renders login page", %{conn: conn} do
+      {:ok, _lv, html} = live(conn, ~p"/users/log-in")
+
+      assert html =~ "Log in"
+      assert html =~ "Register"
+      assert html =~ "Log in with email"
+    end
+  end
+
+  describe "user login - magic link" do
+    test "sends magic link email when user exists", %{conn: conn} do
+      user = user_fixture()
+
+      {:ok, lv, _html} = live(conn, ~p"/users/log-in")
+
+      {:ok, _lv, html} =
+        form(lv, "#login_form_magic", user: %{email: user.email})
+        |> render_submit()
+        |> follow_redirect(conn, ~p"/users/log-in")
+
+      assert html =~ "If your email is in our system"
+
+      assert BeetRoundServer.Repo.get_by!(BeetRoundServer.Accounts.UserToken, user_id: user.id).context ==
+               "login"
+    end
+
+    test "does not disclose if user is registered", %{conn: conn} do
+      {:ok, lv, _html} = live(conn, ~p"/users/log-in")
+
+      {:ok, _lv, html} =
+        form(lv, "#login_form_magic", user: %{email: "idonotexist@example.com"})
+        |> render_submit()
+        |> follow_redirect(conn, ~p"/users/log-in")
+
+      assert html =~ "If your email is in our system"
+    end
+  end
+
+  describe "user login - password" do
+    test "redirects if user logs in with valid credentials", %{conn: conn} do
+      user = user_fixture() |> set_password()
+
+      {:ok, lv, _html} = live(conn, ~p"/users/log-in")
+
+      form =
+        form(lv, "#login_form_password",
+          user: %{email: user.email, password: valid_user_password(), remember_me: true}
+        )
+
+      conn = submit_form(form, conn)
+
+      assert redirected_to(conn) == ~p"/"
+    end
+
+    test "redirects to login page with a flash error if credentials are invalid", %{
+      conn: conn
+    } do
+      {:ok, lv, _html} = live(conn, ~p"/users/log-in")
+
+      form =
+        form(lv, "#login_form_password", user: %{email: "test@email.com", password: "123456"})
+
+      render_submit(form, %{user: %{remember_me: true}})
+
+      conn = follow_trigger_action(form, conn)
+      assert Phoenix.Flash.get(conn.assigns.flash, :error) == "Invalid email or password"
+      assert redirected_to(conn) == ~p"/users/log-in"
+    end
+  end
+
+  describe "login navigation" do
+    test "redirects to registration page when the Register button is clicked", %{conn: conn} do
+      {:ok, lv, _html} = live(conn, ~p"/users/log-in")
+
+      {:ok, _login_live, login_html} =
+        lv
+        |> element("main a", "Sign up")
+        |> render_click()
+        |> follow_redirect(conn, ~p"/users/register")
+
+      assert login_html =~ "Register"
+    end
+  end
+
+  describe "re-authentication (sudo mode)" do
+    setup %{conn: conn} do
+      user = user_fixture()
+      %{user: user, conn: log_in_user(conn, user)}
+    end
+
+    test "shows login page with email filled in", %{conn: conn, user: user} do
+      {:ok, _lv, html} = live(conn, ~p"/users/log-in")
+
+      assert html =~ "You need to reauthenticate"
+      refute html =~ "Register"
+      assert html =~ "Log in with email"
+
+      assert html =~
+               ~s(<input type="email" name="user[email]" id="login_form_magic_email" value="#{user.email}")
+    end
+  end
+end
diff --git a/test/beet_round_server_web/live/user_live/registration_test.exs b/test/beet_round_server_web/live/user_live/registration_test.exs
new file mode 100644
index 0000000..5cd07c1
--- /dev/null
+++ b/test/beet_round_server_web/live/user_live/registration_test.exs
@@ -0,0 +1,82 @@
+defmodule BeetRoundServerWeb.UserLive.RegistrationTest do
+  use BeetRoundServerWeb.ConnCase, async: true
+
+  import Phoenix.LiveViewTest
+  import BeetRoundServer.AccountsFixtures
+
+  describe "Registration page" do
+    test "renders registration page", %{conn: conn} do
+      {:ok, _lv, html} = live(conn, ~p"/users/register")
+
+      assert html =~ "Register"
+      assert html =~ "Log in"
+    end
+
+    test "redirects if already logged in", %{conn: conn} do
+      result =
+        conn
+        |> log_in_user(user_fixture())
+        |> live(~p"/users/register")
+        |> follow_redirect(conn, ~p"/")
+
+      assert {:ok, _conn} = result
+    end
+
+    test "renders errors for invalid data", %{conn: conn} do
+      {:ok, lv, _html} = live(conn, ~p"/users/register")
+
+      result =
+        lv
+        |> element("#registration_form")
+        |> render_change(user: %{"email" => "with spaces"})
+
+      assert result =~ "Register"
+      assert result =~ "must have the @ sign and no spaces"
+    end
+  end
+
+  describe "register user" do
+    test "creates account but does not log in", %{conn: conn} do
+      {:ok, lv, _html} = live(conn, ~p"/users/register")
+
+      email = unique_user_email()
+      form = form(lv, "#registration_form", user: valid_user_attributes(email: email))
+
+      {:ok, _lv, html} =
+        render_submit(form)
+        |> follow_redirect(conn, ~p"/users/log-in")
+
+      assert html =~
+               ~r/An email was sent to .*, please access it to confirm your account/
+    end
+
+    test "renders errors for duplicated email", %{conn: conn} do
+      {:ok, lv, _html} = live(conn, ~p"/users/register")
+
+      user = user_fixture(%{email: "test@email.com"})
+
+      result =
+        lv
+        |> form("#registration_form",
+          user: %{"email" => user.email}
+        )
+        |> render_submit()
+
+      assert result =~ "has already been taken"
+    end
+  end
+
+  describe "registration navigation" do
+    test "redirects to login page when the Log in button is clicked", %{conn: conn} do
+      {:ok, lv, _html} = live(conn, ~p"/users/register")
+
+      {:ok, _login_live, login_html} =
+        lv
+        |> element("main a", "Log in")
+        |> render_click()
+        |> follow_redirect(conn, ~p"/users/log-in")
+
+      assert login_html =~ "Log in"
+    end
+  end
+end
diff --git a/test/beet_round_server_web/live/user_live/settings_test.exs b/test/beet_round_server_web/live/user_live/settings_test.exs
new file mode 100644
index 0000000..452ea39
--- /dev/null
+++ b/test/beet_round_server_web/live/user_live/settings_test.exs
@@ -0,0 +1,212 @@
+defmodule BeetRoundServerWeb.UserLive.SettingsTest do
+  use BeetRoundServerWeb.ConnCase, async: true
+
+  alias BeetRoundServer.Accounts
+  import Phoenix.LiveViewTest
+  import BeetRoundServer.AccountsFixtures
+
+  describe "Settings page" do
+    test "renders settings page", %{conn: conn} do
+      {:ok, _lv, html} =
+        conn
+        |> log_in_user(user_fixture())
+        |> live(~p"/users/settings")
+
+      assert html =~ "Change Email"
+      assert html =~ "Save Password"
+    end
+
+    test "redirects if user is not logged in", %{conn: conn} do
+      assert {:error, redirect} = live(conn, ~p"/users/settings")
+
+      assert {:redirect, %{to: path, flash: flash}} = redirect
+      assert path == ~p"/users/log-in"
+      assert %{"error" => "You must log in to access this page."} = flash
+    end
+
+    test "redirects if user is not in sudo mode", %{conn: conn} do
+      {:ok, conn} =
+        conn
+        |> log_in_user(user_fixture(),
+          token_authenticated_at: DateTime.add(DateTime.utc_now(:second), -11, :minute)
+        )
+        |> live(~p"/users/settings")
+        |> follow_redirect(conn, ~p"/users/log-in")
+
+      assert conn.resp_body =~ "You must re-authenticate to access this page."
+    end
+  end
+
+  describe "update email form" do
+    setup %{conn: conn} do
+      user = user_fixture()
+      %{conn: log_in_user(conn, user), user: user}
+    end
+
+    test "updates the user email", %{conn: conn, user: user} do
+      new_email = unique_user_email()
+
+      {:ok, lv, _html} = live(conn, ~p"/users/settings")
+
+      result =
+        lv
+        |> form("#email_form", %{
+          "user" => %{"email" => new_email}
+        })
+        |> render_submit()
+
+      assert result =~ "A link to confirm your email"
+      assert Accounts.get_user_by_email(user.email)
+    end
+
+    test "renders errors with invalid data (phx-change)", %{conn: conn} do
+      {:ok, lv, _html} = live(conn, ~p"/users/settings")
+
+      result =
+        lv
+        |> element("#email_form")
+        |> render_change(%{
+          "action" => "update_email",
+          "user" => %{"email" => "with spaces"}
+        })
+
+      assert result =~ "Change Email"
+      assert result =~ "must have the @ sign and no spaces"
+    end
+
+    test "renders errors with invalid data (phx-submit)", %{conn: conn, user: user} do
+      {:ok, lv, _html} = live(conn, ~p"/users/settings")
+
+      result =
+        lv
+        |> form("#email_form", %{
+          "user" => %{"email" => user.email}
+        })
+        |> render_submit()
+
+      assert result =~ "Change Email"
+      assert result =~ "did not change"
+    end
+  end
+
+  describe "update password form" do
+    setup %{conn: conn} do
+      user = user_fixture()
+      %{conn: log_in_user(conn, user), user: user}
+    end
+
+    test "updates the user password", %{conn: conn, user: user} do
+      new_password = valid_user_password()
+
+      {:ok, lv, _html} = live(conn, ~p"/users/settings")
+
+      form =
+        form(lv, "#password_form", %{
+          "user" => %{
+            "email" => user.email,
+            "password" => new_password,
+            "password_confirmation" => new_password
+          }
+        })
+
+      render_submit(form)
+
+      new_password_conn = follow_trigger_action(form, conn)
+
+      assert redirected_to(new_password_conn) == ~p"/users/settings"
+
+      assert get_session(new_password_conn, :user_token) != get_session(conn, :user_token)
+
+      assert Phoenix.Flash.get(new_password_conn.assigns.flash, :info) =~
+               "Password updated successfully"
+
+      assert Accounts.get_user_by_email_and_password(user.email, new_password)
+    end
+
+    test "renders errors with invalid data (phx-change)", %{conn: conn} do
+      {:ok, lv, _html} = live(conn, ~p"/users/settings")
+
+      result =
+        lv
+        |> element("#password_form")
+        |> render_change(%{
+          "user" => %{
+            "password" => "too short",
+            "password_confirmation" => "does not match"
+          }
+        })
+
+      assert result =~ "Save Password"
+      assert result =~ "should be at least 12 character(s)"
+      assert result =~ "does not match password"
+    end
+
+    test "renders errors with invalid data (phx-submit)", %{conn: conn} do
+      {:ok, lv, _html} = live(conn, ~p"/users/settings")
+
+      result =
+        lv
+        |> form("#password_form", %{
+          "user" => %{
+            "password" => "too short",
+            "password_confirmation" => "does not match"
+          }
+        })
+        |> render_submit()
+
+      assert result =~ "Save Password"
+      assert result =~ "should be at least 12 character(s)"
+      assert result =~ "does not match password"
+    end
+  end
+
+  describe "confirm email" do
+    setup %{conn: conn} do
+      user = user_fixture()
+      email = unique_user_email()
+
+      token =
+        extract_user_token(fn url ->
+          Accounts.deliver_user_update_email_instructions(%{user | email: email}, user.email, url)
+        end)
+
+      %{conn: log_in_user(conn, user), token: token, email: email, user: user}
+    end
+
+    test "updates the user email once", %{conn: conn, user: user, token: token, email: email} do
+      {:error, redirect} = live(conn, ~p"/users/settings/confirm-email/#{token}")
+
+      assert {:live_redirect, %{to: path, flash: flash}} = redirect
+      assert path == ~p"/users/settings"
+      assert %{"info" => message} = flash
+      assert message == "Email changed successfully."
+      refute Accounts.get_user_by_email(user.email)
+      assert Accounts.get_user_by_email(email)
+
+      # use confirm token again
+      {:error, redirect} = live(conn, ~p"/users/settings/confirm-email/#{token}")
+      assert {:live_redirect, %{to: path, flash: flash}} = redirect
+      assert path == ~p"/users/settings"
+      assert %{"error" => message} = flash
+      assert message == "Email change link is invalid or it has expired."
+    end
+
+    test "does not update email with invalid token", %{conn: conn, user: user} do
+      {:error, redirect} = live(conn, ~p"/users/settings/confirm-email/oops")
+      assert {:live_redirect, %{to: path, flash: flash}} = redirect
+      assert path == ~p"/users/settings"
+      assert %{"error" => message} = flash
+      assert message == "Email change link is invalid or it has expired."
+      assert Accounts.get_user_by_email(user.email)
+    end
+
+    test "redirects if user is not logged in", %{token: token} do
+      conn = build_conn()
+      {:error, redirect} = live(conn, ~p"/users/settings/confirm-email/#{token}")
+      assert {:redirect, %{to: path, flash: flash}} = redirect
+      assert path == ~p"/users/log-in"
+      assert %{"error" => message} = flash
+      assert message == "You must log in to access this page."
+    end
+  end
+end
diff --git a/test/beet_round_server_web/user_auth_test.exs b/test/beet_round_server_web/user_auth_test.exs
new file mode 100644
index 0000000..1759c23
--- /dev/null
+++ b/test/beet_round_server_web/user_auth_test.exs
@@ -0,0 +1,390 @@
+defmodule BeetRoundServerWeb.UserAuthTest do
+  use BeetRoundServerWeb.ConnCase, async: true
+
+  alias Phoenix.LiveView
+  alias BeetRoundServer.Accounts
+  alias BeetRoundServer.Accounts.Scope
+  alias BeetRoundServerWeb.UserAuth
+
+  import BeetRoundServer.AccountsFixtures
+
+  @remember_me_cookie "_beet_round_server_web_user_remember_me"
+  @remember_me_cookie_max_age 60 * 60 * 24 * 14
+
+  setup %{conn: conn} do
+    conn =
+      conn
+      |> Map.replace!(:secret_key_base, BeetRoundServerWeb.Endpoint.config(:secret_key_base))
+      |> init_test_session(%{})
+
+    %{user: %{user_fixture() | authenticated_at: DateTime.utc_now(:second)}, conn: conn}
+  end
+
+  describe "log_in_user/3" do
+    test "stores the user token in the session", %{conn: conn, user: user} do
+      conn = UserAuth.log_in_user(conn, user)
+      assert token = get_session(conn, :user_token)
+      assert get_session(conn, :live_socket_id) == "users_sessions:#{Base.url_encode64(token)}"
+      assert redirected_to(conn) == ~p"/"
+      assert Accounts.get_user_by_session_token(token)
+    end
+
+    test "clears everything previously stored in the session", %{conn: conn, user: user} do
+      conn = conn |> put_session(:to_be_removed, "value") |> UserAuth.log_in_user(user)
+      refute get_session(conn, :to_be_removed)
+    end
+
+    test "keeps session when re-authenticating", %{conn: conn, user: user} do
+      conn =
+        conn
+        |> assign(:current_scope, Scope.for_user(user))
+        |> put_session(:to_be_removed, "value")
+        |> UserAuth.log_in_user(user)
+
+      assert get_session(conn, :to_be_removed)
+    end
+
+    test "clears session when user does not match when re-authenticating", %{
+      conn: conn,
+      user: user
+    } do
+      other_user = user_fixture()
+
+      conn =
+        conn
+        |> assign(:current_scope, Scope.for_user(other_user))
+        |> put_session(:to_be_removed, "value")
+        |> UserAuth.log_in_user(user)
+
+      refute get_session(conn, :to_be_removed)
+    end
+
+    test "redirects to the configured path", %{conn: conn, user: user} do
+      conn = conn |> put_session(:user_return_to, "/hello") |> UserAuth.log_in_user(user)
+      assert redirected_to(conn) == "/hello"
+    end
+
+    test "writes a cookie if remember_me is configured", %{conn: conn, user: user} do
+      conn = conn |> fetch_cookies() |> UserAuth.log_in_user(user, %{"remember_me" => "true"})
+      assert get_session(conn, :user_token) == conn.cookies[@remember_me_cookie]
+      assert get_session(conn, :user_remember_me) == true
+
+      assert %{value: signed_token, max_age: max_age} = conn.resp_cookies[@remember_me_cookie]
+      assert signed_token != get_session(conn, :user_token)
+      assert max_age == @remember_me_cookie_max_age
+    end
+
+    test "redirects to settings when user is already logged in", %{conn: conn, user: user} do
+      conn =
+        conn
+        |> assign(:current_scope, Scope.for_user(user))
+        |> UserAuth.log_in_user(user)
+
+      assert redirected_to(conn) == ~p"/users/settings"
+    end
+
+    test "writes a cookie if remember_me was set in previous session", %{conn: conn, user: user} do
+      conn = conn |> fetch_cookies() |> UserAuth.log_in_user(user, %{"remember_me" => "true"})
+      assert get_session(conn, :user_token) == conn.cookies[@remember_me_cookie]
+      assert get_session(conn, :user_remember_me) == true
+
+      conn =
+        conn
+        |> recycle()
+        |> Map.replace!(:secret_key_base, BeetRoundServerWeb.Endpoint.config(:secret_key_base))
+        |> fetch_cookies()
+        |> init_test_session(%{user_remember_me: true})
+
+      # the conn is already logged in and has the remember_me cookie set,
+      # now we log in again and even without explicitly setting remember_me,
+      # the cookie should be set again
+      conn = conn |> UserAuth.log_in_user(user, %{})
+      assert %{value: signed_token, max_age: max_age} = conn.resp_cookies[@remember_me_cookie]
+      assert signed_token != get_session(conn, :user_token)
+      assert max_age == @remember_me_cookie_max_age
+      assert get_session(conn, :user_remember_me) == true
+    end
+  end
+
+  describe "logout_user/1" do
+    test "erases session and cookies", %{conn: conn, user: user} do
+      user_token = Accounts.generate_user_session_token(user)
+
+      conn =
+        conn
+        |> put_session(:user_token, user_token)
+        |> put_req_cookie(@remember_me_cookie, user_token)
+        |> fetch_cookies()
+        |> UserAuth.log_out_user()
+
+      refute get_session(conn, :user_token)
+      refute conn.cookies[@remember_me_cookie]
+      assert %{max_age: 0} = conn.resp_cookies[@remember_me_cookie]
+      assert redirected_to(conn) == ~p"/"
+      refute Accounts.get_user_by_session_token(user_token)
+    end
+
+    test "broadcasts to the given live_socket_id", %{conn: conn} do
+      live_socket_id = "users_sessions:abcdef-token"
+      BeetRoundServerWeb.Endpoint.subscribe(live_socket_id)
+
+      conn
+      |> put_session(:live_socket_id, live_socket_id)
+      |> UserAuth.log_out_user()
+
+      assert_receive %Phoenix.Socket.Broadcast{event: "disconnect", topic: ^live_socket_id}
+    end
+
+    test "works even if user is already logged out", %{conn: conn} do
+      conn = conn |> fetch_cookies() |> UserAuth.log_out_user()
+      refute get_session(conn, :user_token)
+      assert %{max_age: 0} = conn.resp_cookies[@remember_me_cookie]
+      assert redirected_to(conn) == ~p"/"
+    end
+  end
+
+  describe "fetch_current_scope_for_user/2" do
+    test "authenticates user from session", %{conn: conn, user: user} do
+      user_token = Accounts.generate_user_session_token(user)
+
+      conn =
+        conn |> put_session(:user_token, user_token) |> UserAuth.fetch_current_scope_for_user([])
+
+      assert conn.assigns.current_scope.user.id == user.id
+      assert conn.assigns.current_scope.user.authenticated_at == user.authenticated_at
+      assert get_session(conn, :user_token) == user_token
+    end
+
+    test "authenticates user from cookies", %{conn: conn, user: user} do
+      logged_in_conn =
+        conn |> fetch_cookies() |> UserAuth.log_in_user(user, %{"remember_me" => "true"})
+
+      user_token = logged_in_conn.cookies[@remember_me_cookie]
+      %{value: signed_token} = logged_in_conn.resp_cookies[@remember_me_cookie]
+
+      conn =
+        conn
+        |> put_req_cookie(@remember_me_cookie, signed_token)
+        |> UserAuth.fetch_current_scope_for_user([])
+
+      assert conn.assigns.current_scope.user.id == user.id
+      assert conn.assigns.current_scope.user.authenticated_at == user.authenticated_at
+      assert get_session(conn, :user_token) == user_token
+      assert get_session(conn, :user_remember_me)
+
+      assert get_session(conn, :live_socket_id) ==
+               "users_sessions:#{Base.url_encode64(user_token)}"
+    end
+
+    test "does not authenticate if data is missing", %{conn: conn, user: user} do
+      _ = Accounts.generate_user_session_token(user)
+      conn = UserAuth.fetch_current_scope_for_user(conn, [])
+      refute get_session(conn, :user_token)
+      refute conn.assigns.current_scope
+    end
+
+    test "reissues a new token after a few days and refreshes cookie", %{conn: conn, user: user} do
+      logged_in_conn =
+        conn |> fetch_cookies() |> UserAuth.log_in_user(user, %{"remember_me" => "true"})
+
+      token = logged_in_conn.cookies[@remember_me_cookie]
+      %{value: signed_token} = logged_in_conn.resp_cookies[@remember_me_cookie]
+
+      offset_user_token(token, -10, :day)
+      {user, _} = Accounts.get_user_by_session_token(token)
+
+      conn =
+        conn
+        |> put_session(:user_token, token)
+        |> put_session(:user_remember_me, true)
+        |> put_req_cookie(@remember_me_cookie, signed_token)
+        |> UserAuth.fetch_current_scope_for_user([])
+
+      assert conn.assigns.current_scope.user.id == user.id
+      assert conn.assigns.current_scope.user.authenticated_at == user.authenticated_at
+      assert new_token = get_session(conn, :user_token)
+      assert new_token != token
+      assert %{value: new_signed_token, max_age: max_age} = conn.resp_cookies[@remember_me_cookie]
+      assert new_signed_token != signed_token
+      assert max_age == @remember_me_cookie_max_age
+    end
+  end
+
+  describe "on_mount :mount_current_scope" do
+    setup %{conn: conn} do
+      %{conn: UserAuth.fetch_current_scope_for_user(conn, [])}
+    end
+
+    test "assigns current_scope based on a valid user_token", %{conn: conn, user: user} do
+      user_token = Accounts.generate_user_session_token(user)
+      session = conn |> put_session(:user_token, user_token) |> get_session()
+
+      {:cont, updated_socket} =
+        UserAuth.on_mount(:mount_current_scope, %{}, session, %LiveView.Socket{})
+
+      assert updated_socket.assigns.current_scope.user.id == user.id
+    end
+
+    test "assigns nil to current_scope assign if there isn't a valid user_token", %{conn: conn} do
+      user_token = "invalid_token"
+      session = conn |> put_session(:user_token, user_token) |> get_session()
+
+      {:cont, updated_socket} =
+        UserAuth.on_mount(:mount_current_scope, %{}, session, %LiveView.Socket{})
+
+      assert updated_socket.assigns.current_scope == nil
+    end
+
+    test "assigns nil to current_scope assign if there isn't a user_token", %{conn: conn} do
+      session = conn |> get_session()
+
+      {:cont, updated_socket} =
+        UserAuth.on_mount(:mount_current_scope, %{}, session, %LiveView.Socket{})
+
+      assert updated_socket.assigns.current_scope == nil
+    end
+  end
+
+  describe "on_mount :require_authenticated" do
+    test "authenticates current_scope based on a valid user_token", %{conn: conn, user: user} do
+      user_token = Accounts.generate_user_session_token(user)
+      session = conn |> put_session(:user_token, user_token) |> get_session()
+
+      {:cont, updated_socket} =
+        UserAuth.on_mount(:require_authenticated, %{}, session, %LiveView.Socket{})
+
+      assert updated_socket.assigns.current_scope.user.id == user.id
+    end
+
+    test "redirects to login page if there isn't a valid user_token", %{conn: conn} do
+      user_token = "invalid_token"
+      session = conn |> put_session(:user_token, user_token) |> get_session()
+
+      socket = %LiveView.Socket{
+        endpoint: BeetRoundServerWeb.Endpoint,
+        assigns: %{__changed__: %{}, flash: %{}}
+      }
+
+      {:halt, updated_socket} = UserAuth.on_mount(:require_authenticated, %{}, session, socket)
+      assert updated_socket.assigns.current_scope == nil
+    end
+
+    test "redirects to login page if there isn't a user_token", %{conn: conn} do
+      session = conn |> get_session()
+
+      socket = %LiveView.Socket{
+        endpoint: BeetRoundServerWeb.Endpoint,
+        assigns: %{__changed__: %{}, flash: %{}}
+      }
+
+      {:halt, updated_socket} = UserAuth.on_mount(:require_authenticated, %{}, session, socket)
+      assert updated_socket.assigns.current_scope == nil
+    end
+  end
+
+  describe "on_mount :require_sudo_mode" do
+    test "allows users that have authenticated in the last 10 minutes", %{conn: conn, user: user} do
+      user_token = Accounts.generate_user_session_token(user)
+      session = conn |> put_session(:user_token, user_token) |> get_session()
+
+      socket = %LiveView.Socket{
+        endpoint: BeetRoundServerWeb.Endpoint,
+        assigns: %{__changed__: %{}, flash: %{}}
+      }
+
+      assert {:cont, _updated_socket} =
+               UserAuth.on_mount(:require_sudo_mode, %{}, session, socket)
+    end
+
+    test "redirects when authentication is too old", %{conn: conn, user: user} do
+      eleven_minutes_ago = DateTime.utc_now(:second) |> DateTime.add(-11, :minute)
+      user = %{user | authenticated_at: eleven_minutes_ago}
+      user_token = Accounts.generate_user_session_token(user)
+      {user, token_inserted_at} = Accounts.get_user_by_session_token(user_token)
+      assert DateTime.compare(token_inserted_at, user.authenticated_at) == :gt
+      session = conn |> put_session(:user_token, user_token) |> get_session()
+
+      socket = %LiveView.Socket{
+        endpoint: BeetRoundServerWeb.Endpoint,
+        assigns: %{__changed__: %{}, flash: %{}}
+      }
+
+      assert {:halt, _updated_socket} =
+               UserAuth.on_mount(:require_sudo_mode, %{}, session, socket)
+    end
+  end
+
+  describe "require_authenticated_user/2" do
+    setup %{conn: conn} do
+      %{conn: UserAuth.fetch_current_scope_for_user(conn, [])}
+    end
+
+    test "redirects if user is not authenticated", %{conn: conn} do
+      conn = conn |> fetch_flash() |> UserAuth.require_authenticated_user([])
+      assert conn.halted
+
+      assert redirected_to(conn) == ~p"/users/log-in"
+
+      assert Phoenix.Flash.get(conn.assigns.flash, :error) ==
+               "You must log in to access this page."
+    end
+
+    test "stores the path to redirect to on GET", %{conn: conn} do
+      halted_conn =
+        %{conn | path_info: ["foo"], query_string: ""}
+        |> fetch_flash()
+        |> UserAuth.require_authenticated_user([])
+
+      assert halted_conn.halted
+      assert get_session(halted_conn, :user_return_to) == "/foo"
+
+      halted_conn =
+        %{conn | path_info: ["foo"], query_string: "bar=baz"}
+        |> fetch_flash()
+        |> UserAuth.require_authenticated_user([])
+
+      assert halted_conn.halted
+      assert get_session(halted_conn, :user_return_to) == "/foo?bar=baz"
+
+      halted_conn =
+        %{conn | path_info: ["foo"], query_string: "bar", method: "POST"}
+        |> fetch_flash()
+        |> UserAuth.require_authenticated_user([])
+
+      assert halted_conn.halted
+      refute get_session(halted_conn, :user_return_to)
+    end
+
+    test "does not redirect if user is authenticated", %{conn: conn, user: user} do
+      conn =
+        conn
+        |> assign(:current_scope, Scope.for_user(user))
+        |> UserAuth.require_authenticated_user([])
+
+      refute conn.halted
+      refute conn.status
+    end
+  end
+
+  describe "disconnect_sessions/1" do
+    test "broadcasts disconnect messages for each token" do
+      tokens = [%{token: "token1"}, %{token: "token2"}]
+
+      for %{token: token} <- tokens do
+        BeetRoundServerWeb.Endpoint.subscribe("users_sessions:#{Base.url_encode64(token)}")
+      end
+
+      UserAuth.disconnect_sessions(tokens)
+
+      assert_receive %Phoenix.Socket.Broadcast{
+        event: "disconnect",
+        topic: "users_sessions:dG9rZW4x"
+      }
+
+      assert_receive %Phoenix.Socket.Broadcast{
+        event: "disconnect",
+        topic: "users_sessions:dG9rZW4y"
+      }
+    end
+  end
+end
diff --git a/test/support/conn_case.ex b/test/support/conn_case.ex
index 93556e9..ca8b0a5 100644
--- a/test/support/conn_case.ex
+++ b/test/support/conn_case.ex
@@ -35,4 +35,45 @@ defmodule BeetRoundServerWeb.ConnCase do
     BeetRoundServer.DataCase.setup_sandbox(tags)
     {:ok, conn: Phoenix.ConnTest.build_conn()}
   end
+
+  @doc """
+  Setup helper that registers and logs in users.
+
+      setup :register_and_log_in_user
+
+  It stores an updated connection and a registered user in the
+  test context.
+  """
+  def register_and_log_in_user(%{conn: conn} = context) do
+    user = BeetRoundServer.AccountsFixtures.user_fixture()
+    scope = BeetRoundServer.Accounts.Scope.for_user(user)
+
+    opts =
+      context
+      |> Map.take([:token_authenticated_at])
+      |> Enum.into([])
+
+    %{conn: log_in_user(conn, user, opts), user: user, scope: scope}
+  end
+
+  @doc """
+  Logs the given `user` into the `conn`.
+
+  It returns an updated `conn`.
+  """
+  def log_in_user(conn, user, opts \\ []) do
+    token = BeetRoundServer.Accounts.generate_user_session_token(user)
+
+    maybe_set_token_authenticated_at(token, opts[:token_authenticated_at])
+
+    conn
+    |> Phoenix.ConnTest.init_test_session(%{})
+    |> Plug.Conn.put_session(:user_token, token)
+  end
+
+  defp maybe_set_token_authenticated_at(_token, nil), do: nil
+
+  defp maybe_set_token_authenticated_at(token, authenticated_at) do
+    BeetRoundServer.AccountsFixtures.override_token_authenticated_at(token, authenticated_at)
+  end
 end
diff --git a/test/support/fixtures/accounts_fixtures.ex b/test/support/fixtures/accounts_fixtures.ex
new file mode 100644
index 0000000..41d7940
--- /dev/null
+++ b/test/support/fixtures/accounts_fixtures.ex
@@ -0,0 +1,89 @@
+defmodule BeetRoundServer.AccountsFixtures do
+  @moduledoc """
+  This module defines test helpers for creating
+  entities via the `BeetRoundServer.Accounts` context.
+  """
+
+  import Ecto.Query
+
+  alias BeetRoundServer.Accounts
+  alias BeetRoundServer.Accounts.Scope
+
+  def unique_user_email, do: "user#{System.unique_integer()}@example.com"
+  def valid_user_password, do: "hello world!"
+
+  def valid_user_attributes(attrs \\ %{}) do
+    Enum.into(attrs, %{
+      email: unique_user_email()
+    })
+  end
+
+  def unconfirmed_user_fixture(attrs \\ %{}) do
+    {:ok, user} =
+      attrs
+      |> valid_user_attributes()
+      |> Accounts.register_user()
+
+    user
+  end
+
+  def user_fixture(attrs \\ %{}) do
+    user = unconfirmed_user_fixture(attrs)
+
+    token =
+      extract_user_token(fn url ->
+        Accounts.deliver_login_instructions(user, url)
+      end)
+
+    {:ok, {user, _expired_tokens}} =
+      Accounts.login_user_by_magic_link(token)
+
+    user
+  end
+
+  def user_scope_fixture do
+    user = user_fixture()
+    user_scope_fixture(user)
+  end
+
+  def user_scope_fixture(user) do
+    Scope.for_user(user)
+  end
+
+  def set_password(user) do
+    {:ok, {user, _expired_tokens}} =
+      Accounts.update_user_password(user, %{password: valid_user_password()})
+
+    user
+  end
+
+  def extract_user_token(fun) do
+    {:ok, captured_email} = fun.(&"[TOKEN]#{&1}[TOKEN]")
+    [_, token | _] = String.split(captured_email.text_body, "[TOKEN]")
+    token
+  end
+
+  def override_token_authenticated_at(token, authenticated_at) when is_binary(token) do
+    BeetRoundServer.Repo.update_all(
+      from(t in Accounts.UserToken,
+        where: t.token == ^token
+      ),
+      set: [authenticated_at: authenticated_at]
+    )
+  end
+
+  def generate_user_magic_link_token(user) do
+    {encoded_token, user_token} = Accounts.UserToken.build_email_token(user, "login")
+    BeetRoundServer.Repo.insert!(user_token)
+    {encoded_token, user_token.token}
+  end
+
+  def offset_user_token(token, amount_to_add, unit) do
+    dt = DateTime.add(DateTime.utc_now(:second), amount_to_add, unit)
+
+    BeetRoundServer.Repo.update_all(
+      from(ut in Accounts.UserToken, where: ut.token == ^token),
+      set: [inserted_at: dt, authenticated_at: dt]
+    )
+  end
+end