fix ThemeHook gate to validate session token not just presence

Check socket.assigns.current_scope (validated by mount_current_scope)
instead of raw session token. Prevents stale/invalid session cookies
from bypassing the site-live gate.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

lib/simpleshop_theme_web/theme_hook.ex

@@ -42,12 +42,13 @@ defmodule SimpleshopThemeWeb.ThemeHook do
     {:cont, socket}
   end
 
-  def on_mount(:require_site_live, _params, session, socket) do
+  def on_mount(:require_site_live, _params, _session, socket) do
     cond do
       Settings.site_live?() ->
         {:cont, socket}
 
-      session["user_token"] ->
+      # mount_current_scope runs first, so current_scope is already validated
+      socket.assigns[:current_scope] && socket.assigns.current_scope.user ->
         {:cont, socket}
 
       not SimpleshopTheme.Accounts.has_admin?() ->

test/simpleshop_theme_web/live/shop/coming_soon_test.exs

@@ -56,6 +56,16 @@ defmodule SimpleshopThemeWeb.Shop.ComingSoonTest do
       assert {:error, {:redirect, %{to: "/users/register"}}} = live(conn, ~p"/")
     end
 
+    test "redirects when session token is stale (user deleted)", %{conn: conn} do
+      user = user_fixture()
+      conn = log_in_user(conn, user)
+
+      # Delete the user — session cookie is now stale
+      SimpleshopTheme.Repo.delete!(user)
+
+      assert {:error, {:redirect, %{to: "/users/register"}}} = live(conn, ~p"/")
+    end
+
     test "gates all public shop routes", %{conn: conn} do
       user_fixture()