Users can access their items via API. Authentication via API token. No public access to items.

lib/generic_rest_server_web/controllers/user_token_controller.ex

@@ -0,0 +1,28 @@
+defmodule GenericRestServerWeb.UserTokenController do
+  use GenericRestServerWeb, :controller
+
+  alias GenericRestServer.Accounts
+  alias GenericRestServer.Accounts.User
+
+  action_fallback GenericRestServerWeb.FallbackController
+
+  def log_in(conn, %{"user" => user_params}) do
+    case Accounts.get_user_by_email_and_password(user_params["email"], user_params["password"]) do
+      %User{} = user ->
+        create_token(conn, user)
+
+      _ ->
+        conn
+        |> put_status(:forbidden)
+        |> render(:error, %{error: "No access for you!"})
+    end
+  end
+
+  defp create_token(conn, user) do
+    encoded_token = Accounts.create_user_api_token(user)
+
+    updated_user = Map.put(user, :token, encoded_token)
+
+    render(conn, :token, user: updated_user)
+  end
+end