Fix password reset for unverified users and rework checkout-driven account creation

simonhamp · claude · simonhamp · commit 06fbf4aaeeb8 · 2026-04-29T22:56:43.000+01:00
Password reset emails (and other transactional mail) were being silently dropped
for users with email_verified_at = null or receives_notification_emails = false,
because SuppressMailNotificationListener only carved out VerifyEmail.

Customers who purchased Ultra via the pricing flow were created with a random
password and never sent a verification email (no Registered event fired), so
they had no way into their account: the post-purchase license email was
suppressed, and password reset was suppressed too.

Changes:
- Introduce App\Contracts\TransactionalNotification marker so transactional
  mail (account recovery, entitlements, receipts) bypasses the listener.
- Tag LicenseKeyGenerated, BundleGranted, PluginGranted, ProductGranted.
- Carve out framework ResetPassword + VerifyEmail explicitly in the listener.
- Add ClaimAccount notification (uses the password broker token + existing
  reset-password UI) so checkout-created users get one email that verifies
  email and lets them set a password.
- Dispatch ClaimAccount from MobilePricing and Api\LicenseController when
  wasRecentlyCreated. Fire Registered from ClaimDonationLicense (user
  already chose their own password there).
- On password reset, set email_verified_at = now() when null so the same
  flow serves both real resets and account claims.
- Rework OrderSuccess: drop license-key copy entirely. For Ultra, show
  "Go to Dashboard" for verified users, or a "check your inbox / contact
  support@nativephp.com" message for newly-created users.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/app/Contracts/TransactionalNotification.php b/app/Contracts/TransactionalNotification.php
@@ -0,0 +1,16 @@
+<?php
+
+namespace App\Contracts;
+
+use App\Listeners\SuppressMailNotificationListener;
+
+/**
+ * Marker interface for notifications that must always be delivered,
+ * regardless of the user's email preferences or verification state.
+ *
+ * Account recovery, purchase receipts, and license/entitlement
+ * notifications fall into this category.
+ *
+ * @see SuppressMailNotificationListener
+ */
+interface TransactionalNotification {}
diff --git a/app/Http/Controllers/Api/LicenseController.php b/app/Http/Controllers/Api/LicenseController.php
@@ -9,8 +9,10 @@
 use App\Jobs\CreateAnystackLicenseJob;
 use App\Models\License;
 use App\Models\User;
+use App\Notifications\ClaimAccount;
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\Hash;
+use Illuminate\Support\Facades\Password;
 use Illuminate\Support\Str;
 use Illuminate\Validation\Rules\Enum;
 
@@ -46,6 +48,12 @@ public function store(Request $request)
             ]
         );
 
+        if ($user->wasRecentlyCreated) {
+            $user->notify(new ClaimAccount(
+                Password::broker()->createToken($user)
+            ));
+        }
+
         // Create the license via job
         $subscription = Subscription::from($validated['subscription']);
 
diff --git a/app/Http/Controllers/Auth/CustomerAuthController.php b/app/Http/Controllers/Auth/CustomerAuthController.php
@@ -156,9 +156,17 @@ public function resetPassword(Request $request): RedirectResponse
         $status = Password::reset(
             $request->only('email', 'password', 'password_confirmation', 'token'),
             function ($user, $password): void {
-                $user->forceFill([
-                    'password' => $password,
-                ]);
+                $attributes = ['password' => $password];
+
+                // Proving control of the inbox + setting a password is sufficient
+                // to consider the email verified. This also lets the same flow
+                // serve as the "claim your account" path for users created via
+                // checkout.
+                if (! $user->email_verified_at) {
+                    $attributes['email_verified_at'] = now();
+                }
+
+                $user->forceFill($attributes);
 
                 $user->save();
             }
diff --git a/app/Listeners/SuppressMailNotificationListener.php b/app/Listeners/SuppressMailNotificationListener.php
@@ -2,7 +2,9 @@
 
 namespace App\Listeners;
 
+use App\Contracts\TransactionalNotification;
 use App\Models\User;
+use Illuminate\Auth\Notifications\ResetPassword;
 use Illuminate\Auth\Notifications\VerifyEmail;
 use Illuminate\Notifications\Events\NotificationSending;
 
@@ -18,8 +20,13 @@ public function handle(NotificationSending $event): bool
             return true;
         }
 
-        // System notifications like email verification should always be sent
-        if ($event->notification instanceof VerifyEmail) {
+        // Transactional notifications (account recovery, verification,
+        // purchase receipts, entitlement grants) must always be delivered.
+        // Framework notifications can't implement our marker, so they're
+        // listed explicitly.
+        if ($event->notification instanceof TransactionalNotification
+            || $event->notification instanceof VerifyEmail
+            || $event->notification instanceof ResetPassword) {
             return true;
         }
 
diff --git a/app/Livewire/ClaimDonationLicense.php b/app/Livewire/ClaimDonationLicense.php
@@ -7,6 +7,7 @@
 use App\Jobs\CreateAnystackLicenseJob;
 use App\Models\OpenCollectiveDonation;
 use App\Models\User;
+use Illuminate\Auth\Events\Registered;
 use Illuminate\Support\Facades\Auth;
 use Illuminate\Support\Facades\Hash;
 use Illuminate\Validation\Rules\Password;
@@ -107,6 +108,8 @@ public function claim(): void
                 'name' => $this->name,
                 'password' => Hash::make($this->password),
             ]);
+
+            event(new Registered($user));
         }
 
         // Parse name for first/last
diff --git a/app/Livewire/MobilePricing.php b/app/Livewire/MobilePricing.php
@@ -4,9 +4,11 @@
 
 use App\Enums\Subscription;
 use App\Models\User;
+use App\Notifications\ClaimAccount;
 use Illuminate\Support\Facades\Auth;
 use Illuminate\Support\Facades\Hash;
 use Illuminate\Support\Facades\Log;
+use Illuminate\Support\Facades\Password;
 use Illuminate\Support\Facades\Validator;
 use Illuminate\Support\Str;
 use Laravel\Cashier\Cashier;
@@ -182,11 +184,19 @@ private function findOrCreateUser(string $email): User
             'email' => 'required|email|max:255',
         ]);
 
-        return User::firstOrCreate([
+        $user = User::firstOrCreate([
             'email' => $email,
         ], [
             'password' => Hash::make(Str::random(72)),
         ]);
+
+        if ($user->wasRecentlyCreated) {
+            $user->notify(new ClaimAccount(
+                Password::broker()->createToken($user)
+            ));
+        }
+
+        return $user;
     }
 
     private function successUrl(): string
diff --git a/app/Livewire/OrderSuccess.php b/app/Livewire/OrderSuccess.php
@@ -3,7 +3,6 @@
 namespace App\Livewire;
 
 use App\Enums\Subscription;
-use App\Models\License;
 use Illuminate\Database\Eloquent\ModelNotFoundException;
 use Laravel\Cashier\Cashier;
 use Livewire\Attributes\Layout;
@@ -17,10 +16,10 @@ class OrderSuccess extends Component
 {
     public ?string $email = null;
 
-    public ?string $licenseKey = null;
-
     public ?Subscription $subscription = null;
 
+    public bool $isExistingUser = false;
+
     public string $checkoutSessionId;
 
     public function mount(string $checkoutSessionId): void
@@ -67,9 +66,10 @@ public function loadData(): void
             return;
         }
 
-        $this->email = $subscriptionRecord->user->email;
-        $this->licenseKey = License::query()
-            ->whereBelongsTo($subscriptionItem)
-            ->first()?->key;
+        $user = $subscriptionRecord->user;
+        $this->email = $user->email;
+        // Users created via checkout start with email_verified_at = null and
+        // are sent a ClaimAccount email. Verified users already have access.
+        $this->isExistingUser = ! is_null($user->email_verified_at);
     }
 }
diff --git a/app/Notifications/BundleGranted.php b/app/Notifications/BundleGranted.php
@@ -2,6 +2,7 @@
 
 namespace App\Notifications;
 
+use App\Contracts\TransactionalNotification;
 use App\Models\Plugin;
 use App\Models\PluginBundle;
 use Illuminate\Bus\Queueable;
@@ -10,7 +11,7 @@
 use Illuminate\Notifications\Notification;
 use Illuminate\Support\Collection;
 
-class BundleGranted extends Notification implements ShouldQueue
+class BundleGranted extends Notification implements ShouldQueue, TransactionalNotification
 {
     use Queueable;
 
diff --git a/app/Notifications/ClaimAccount.php b/app/Notifications/ClaimAccount.php
@@ -0,0 +1,41 @@
+<?php
+
+namespace App\Notifications;
+
+use App\Contracts\TransactionalNotification;
+use Illuminate\Bus\Queueable;
+use Illuminate\Contracts\Queue\ShouldQueue;
+use Illuminate\Notifications\Messages\MailMessage;
+use Illuminate\Notifications\Notification;
+
+class ClaimAccount extends Notification implements ShouldQueue, TransactionalNotification
+{
+    use Queueable;
+
+    public function __construct(public string $token) {}
+
+    /**
+     * @return array<int, string>
+     */
+    public function via(object $notifiable): array
+    {
+        return ['mail'];
+    }
+
+    public function toMail(object $notifiable): MailMessage
+    {
+        $url = route('password.reset', [
+            'token' => $this->token,
+            'email' => $notifiable->getEmailForPasswordReset(),
+        ]);
+
+        return (new MailMessage)
+            ->subject('Welcome to NativePHP — Claim Your Account')
+            ->greeting('Welcome to NativePHP!')
+            ->line('Thanks for your purchase. We\'ve created an account for you so you can access your licenses and downloads.')
+            ->line('To finish setting up your account, please click the button below to verify your email address and set a password.')
+            ->action('Claim Your Account', $url)
+            ->line('This link will expire in '.config('auth.passwords.users.expire').' minutes. If it expires, you can request a new one from the password reset page.')
+            ->salutation("Happy coding!\n\nThe NativePHP Team");
+    }
+}
diff --git a/app/Notifications/LicenseKeyGenerated.php b/app/Notifications/LicenseKeyGenerated.php
@@ -2,13 +2,14 @@
 
 namespace App\Notifications;
 
+use App\Contracts\TransactionalNotification;
 use App\Enums\Subscription;
 use Illuminate\Bus\Queueable;
 use Illuminate\Contracts\Queue\ShouldQueue;
 use Illuminate\Notifications\Messages\MailMessage;
 use Illuminate\Notifications\Notification;
 
-class LicenseKeyGenerated extends Notification implements ShouldQueue
+class LicenseKeyGenerated extends Notification implements ShouldQueue, TransactionalNotification
 {
     use Queueable;
 
diff --git a/app/Notifications/PluginGranted.php b/app/Notifications/PluginGranted.php
@@ -2,13 +2,14 @@
 
 namespace App\Notifications;
 
+use App\Contracts\TransactionalNotification;
 use App\Models\Plugin;
 use Illuminate\Bus\Queueable;
 use Illuminate\Contracts\Queue\ShouldQueue;
 use Illuminate\Notifications\Messages\MailMessage;
 use Illuminate\Notifications\Notification;
 
-class PluginGranted extends Notification implements ShouldQueue
+class PluginGranted extends Notification implements ShouldQueue, TransactionalNotification
 {
     use Queueable;
 
diff --git a/app/Notifications/ProductGranted.php b/app/Notifications/ProductGranted.php
@@ -2,13 +2,14 @@
 
 namespace App\Notifications;
 
+use App\Contracts\TransactionalNotification;
 use App\Models\Product;
 use Illuminate\Bus\Queueable;
 use Illuminate\Contracts\Queue\ShouldQueue;
 use Illuminate\Notifications\Messages\MailMessage;
 use Illuminate\Notifications\Notification;
 
-class ProductGranted extends Notification implements ShouldQueue
+class ProductGranted extends Notification implements ShouldQueue, TransactionalNotification
 {
     use Queueable;
 
diff --git a/package-lock.json b/package-lock.json
diff --git a/resources/views/livewire/order-success.blade.php b/resources/views/livewire/order-success.blade.php
diff --git a/tests/Feature/CustomerAuthenticationTest.php b/tests/Feature/CustomerAuthenticationTest.php
diff --git a/tests/Feature/Livewire/OrderSuccessTest.php b/tests/Feature/Livewire/OrderSuccessTest.php
diff --git a/tests/Feature/MobilePricingTest.php b/tests/Feature/MobilePricingTest.php
diff --git a/tests/Feature/SuppressMailNotificationListenerTest.php b/tests/Feature/SuppressMailNotificationListenerTest.php
