user must be email_confirmed to log_in

previously we were not checking if the email_confirmed attribute was
true before logging in. A new user did not have to activate email
before logging in.

app/controllers/sessions_controller.rb

@@ -4,7 +4,9 @@ def new
 
   def create
     @user = User.find_by(email: params[:session][:email].downcase)
-    if @user && @user.authenticate(params[:session][:password])
+    if @user &&
+       @user.authenticate(params[:session][:password]) &&
+       @user.email_confirmed
       log_in @user
       redirect_to @user
     else