Add email verification and one-click notification unsubscribe

- Re-enable MustVerifyEmail on User model and fire Registered event on registration
- Add EmailVerificationController with verification routes (notice, verify, resend)
- Add persistent dashboard banner prompting unverified users to verify email
- Add one-click unsubscribe/resubscribe via signed URLs in notification emails
- Update SuppressMailNotificationListener to always allow system emails (e.g. VerifyEmail)
- Remove email_verified_at field from admin user edit form
- Add comprehensive tests for email verification and notification unsubscribe flows

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: simonhamp

app/Filament/Resources/UserResource.php

@@ -2,7 +2,6 @@
 
 namespace App\Filament\Resources;
 
-use App\Enums\StripeConnectStatus;
 use App\Filament\Resources\UserResource\Pages;
 use App\Filament\Resources\UserResource\RelationManagers;
 use App\Models\User;
@@ -38,11 +37,11 @@ public static function form(Schema $schema): Schema
                             ->email()
                             ->required()
                             ->maxLength(255),
-                        Forms\Components\DateTimePicker::make('email_verified_at'),
                         Forms\Components\TextInput::make('password')
                             ->password()
                             ->dehydrated(fn ($state) => filled($state))
                             ->required(fn (string $context): bool => $context === 'create')
+                            ->hidden(fn (string $context): bool => $context === 'edit')
                             ->maxLength(255),
                     ]),
                 Schemas\Components\Section::make('Billing Information')
@@ -64,15 +63,26 @@ public static function form(Schema $schema): Schema
                             ->maxLength(255)
                             ->disabled(),
                     ]),
+                Schemas\Components\Section::make('Notifications')
+                    ->description('Once these are disabled, they cannot be re-enabled by an admin.')
+                    ->inlineLabel()
+                    ->columns(1)
+                    ->schema([
+                        Forms\Components\Toggle::make('receives_notification_emails')
+                            ->label('Email notifications')
+                            ->disabled(fn (?User $record) => $record && ! $record->receives_notification_emails),
+                        Forms\Components\Toggle::make('receives_new_plugin_notifications')
+                            ->label('New plugin notifications')
+                            ->disabled(fn (?User $record) => $record && ! $record->receives_new_plugin_notifications),
+                    ]),
                 Schemas\Components\Section::make('Developer Account')
                     ->inlineLabel()
                     ->columns(1)
                     ->visible(fn (?User $record) => $record?->developerAccount !== null)
                     ->schema([
-                        Forms\Components\Select::make('developerAccount.stripe_connect_status')
+                        Forms\Components\Placeholder::make('developerAccount.stripe_connect_status')
                             ->label('Stripe Connect Status')
-                            ->options(StripeConnectStatus::class)
-                            ->disabled(),
+                            ->content(fn (User $record) => $record->developerAccount->stripe_connect_status?->label() ?? '—'),
                         Forms\Components\Placeholder::make('developerAccount.stripe_connect_account_id')
                             ->label('Stripe Connect Account')
                             ->content(fn (User $record) => new HtmlString(

app/Http/Controllers/Auth/CustomerAuthController.php

@@ -9,6 +9,7 @@
 use App\Models\TeamUser;
 use App\Models\User;
 use App\Services\CartService;
+use Illuminate\Auth\Events\Registered;
 use Illuminate\Auth\Passwords\PasswordBroker;
 use Illuminate\Http\RedirectResponse;
 use Illuminate\Http\Request;
@@ -45,6 +46,8 @@ public function register(Request $request): RedirectResponse
             'password' => Hash::make($request->password),
         ]);
 
+        event(new Registered($user));
+
         Auth::login($user);
 
         // Transfer guest cart to user

app/Http/Controllers/Auth/EmailVerificationController.php

@@ -0,0 +1,30 @@
+<?php
+
+namespace App\Http\Controllers\Auth;
+
+use App\Http\Controllers\Controller;
+use Illuminate\Foundation\Auth\EmailVerificationRequest;
+use Illuminate\Http\RedirectResponse;
+use Illuminate\Http\Request;
+
+class EmailVerificationController extends Controller
+{
+    public function notice(): RedirectResponse
+    {
+        return to_route('dashboard');
+    }
+
+    public function verify(EmailVerificationRequest $request): RedirectResponse
+    {
+        $request->fulfill();
+
+        return to_route('dashboard')->with('success', 'Your email address has been verified.');
+    }
+
+    public function resend(Request $request): RedirectResponse
+    {
+        $request->user()->sendEmailVerificationNotification();
+
+        return back()->with('status', 'A new verification link has been sent to your email address.');
+    }
+}

app/Http/Controllers/NotificationUnsubscribeController.php

@@ -0,0 +1,65 @@
+<?php
+
+namespace App\Http\Controllers;
+
+use App\Models\User;
+use Illuminate\Http\RedirectResponse;
+use Illuminate\Http\Request;
+use Illuminate\View\View;
+
+class NotificationUnsubscribeController extends Controller
+{
+    public function unsubscribe(Request $request, User $user): RedirectResponse|View
+    {
+        $user->update(['receives_new_plugin_notifications' => false]);
+
+        if ($request->user()?->is($user)) {
+            return redirect()
+                ->route('customer.settings', ['tab' => 'notifications'])
+                ->with('new-plugin-notifications-disabled', true);
+        }
+
+        return view('notifications.unsubscribed', [
+            'maskedEmail' => $this->maskEmail($user->email),
+            'resubscribeUrl' => $this->signedResubscribeUrl($user),
+        ]);
+    }
+
+    public function resubscribe(Request $request, User $user): RedirectResponse|View
+    {
+        $user->update(['receives_new_plugin_notifications' => true]);
+
+        if ($request->user()?->is($user)) {
+            return redirect()
+                ->route('customer.settings', ['tab' => 'notifications'])
+                ->with('new-plugin-notifications-enabled', true);
+        }
+
+        return view('notifications.resubscribed', [
+            'maskedEmail' => $this->maskEmail($user->email),
+        ]);
+    }
+
+    public static function signedUnsubscribeUrl(User $user): string
+    {
+        return url()->signedRoute('notifications.unsubscribe', ['user' => $user]);
+    }
+
+    private function signedResubscribeUrl(User $user): string
+    {
+        return url()->signedRoute('notifications.resubscribe', ['user' => $user]);
+    }
+
+    private function maskEmail(string $email): string
+    {
+        [$local, $domain] = explode('@', $email);
+
+        if (strlen($local) <= 2) {
+            $maskedLocal = $local[0].str_repeat('*', max(1, strlen($local) - 1));
+        } else {
+            $maskedLocal = $local[0].str_repeat('*', strlen($local) - 2).$local[strlen($local) - 1];
+        }
+
+        return $maskedLocal.'@'.$domain;
+    }
+}

app/Listeners/SuppressMailNotificationListener.php

@@ -3,6 +3,7 @@
 namespace App\Listeners;
 
 use App\Models\User;
+use Illuminate\Auth\Notifications\VerifyEmail;
 use Illuminate\Notifications\Events\NotificationSending;
 
 class SuppressMailNotificationListener
@@ -17,6 +18,11 @@ public function handle(NotificationSending $event): bool
             return true;
         }
 
-        return $event->notifiable->receives_notification_emails;
+        // System notifications like email verification should always be sent
+        if ($event->notification instanceof VerifyEmail) {
+            return true;
+        }
+
+        return (bool) $event->notifiable->receives_notification_emails;
     }
 }

app/Models/User.php

@@ -2,13 +2,13 @@
 
 namespace App\Models;
 
-// use Illuminate\Contracts\Auth\MustVerifyEmail;
 use App\Enums\PriceTier;
 use App\Enums\Subscription;
 use App\Enums\TeamUserStatus;
 use Filament\Models\Contracts\FilamentUser;
 use Filament\Models\Contracts\HasName;
 use Filament\Panel;
+use Illuminate\Contracts\Auth\MustVerifyEmail;
 use Illuminate\Database\Eloquent\Casts\Attribute;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 use Illuminate\Database\Eloquent\Relations\HasMany;
@@ -19,7 +19,7 @@
 use Laravel\Cashier\Billable;
 use Laravel\Sanctum\HasApiTokens;
 
-class User extends Authenticatable implements FilamentUser, HasName
+class User extends Authenticatable implements FilamentUser, HasName, MustVerifyEmail
 {
     use Billable, HasApiTokens, HasFactory, Notifiable;
 

app/Notifications/NewPluginAvailable.php

@@ -2,7 +2,9 @@
 
 namespace App\Notifications;
 
+use App\Http\Controllers\NotificationUnsubscribeController;
 use App\Models\Plugin;
+use App\Models\User;
 use Illuminate\Bus\Queueable;
 use Illuminate\Contracts\Queue\ShouldQueue;
 use Illuminate\Notifications\Messages\MailMessage;
@@ -30,12 +32,15 @@ public function via(object $notifiable): array
 
     public function toMail(object $notifiable): MailMessage
     {
+        /** @var User $notifiable */
+        $unsubscribeUrl = NotificationUnsubscribeController::signedUnsubscribeUrl($notifiable);
+
         return (new MailMessage)
             ->subject("New Plugin: {$this->plugin->name}")
             ->greeting('A new plugin is available!')
             ->line("**{$this->plugin->name}** has just been added to the NativePHP Plugin Marketplace.")
             ->action('View Plugin', route('plugins.show', $this->plugin->routeParams()))
-            ->line('[Manage your notification preferences]('.route('customer.settings', ['tab' => 'notifications']).').');
+            ->line('[Unsubscribe from new plugin notifications]('.$unsubscribeUrl.').');
     }
 
     /**

package-lock.json

@@ -4,6 +4,26 @@
         <flux:text>Welcome back, {{ auth()->user()->first_name ?? auth()->user()->name }}</flux:text>
     </div>
 
+    {{-- Email Verification Banner --}}
+    @if (!auth()->user()->hasVerifiedEmail())
+        <flux:callout variant="warning" icon="envelope" class="mb-6">
+            <flux:callout.heading>Please verify your email address.</flux:callout.heading>
+            <flux:callout.text>
+                We sent a verification email when you registered. Click the link in that email to verify your account.
+
+                @if (session('status'))
+                    <span class="font-medium">{{ session('status') }}</span>
+                @endif
+            </flux:callout.text>
+            <x-slot:actions>
+                <form method="POST" action="{{ route('verification.send') }}">
+                    @csrf
+                    <flux:button type="submit" variant="filled" size="sm">Resend verification email</flux:button>
+                </form>
+            </x-slot:actions>
+        </flux:callout>
+    @endif
+
     {{-- Session Messages --}}
     @if (session('success'))
         <flux:callout variant="success" icon="check-circle" class="mb-6">

resources/views/livewire/customer/dashboard.blade.php

@@ -127,6 +127,18 @@ class="{{ $tab === 'notifications' ? 'border-b-2 border-zinc-800 dark:border-whi
     @endif
 
     @if ($tab === 'notifications')
+        @if (session('new-plugin-notifications-disabled'))
+            <flux:callout variant="success" icon="check-circle" class="mb-6">
+                <flux:callout.text>New plugin notifications have been disabled.</flux:callout.text>
+            </flux:callout>
+        @endif
+
+        @if (session('new-plugin-notifications-enabled'))
+            <flux:callout variant="success" icon="check-circle" class="mb-6">
+                <flux:callout.text>New plugin notifications have been re-enabled.</flux:callout.text>
+            </flux:callout>
+        @endif
+
         <flux:card class="space-y-6">
             <flux:switch
                 wire:model.live="receivesNotificationEmails"