Unsubscribe confirm page links to auth-gated /notifications/preferences, bouncing email recipients to login

Area: Integration / API (audit p13) · Surface: /unsubscribe/{category} (one-click unsubscribe confirm) · Dimension: Law 1 polish / unauthenticated UX · Severity: minor

The confirm page is designed for unauthenticated email recipients (RFC 8058 one-click), yet its only follow-up link points to an auth-gated route. For a logged-out recipient this dead-ends at the login screen with no context, which is a rough edge on an otherwise clean transactional page.

Evidence

platform/templates/unsubscribe/confirm.php:34 `…re-enable any of these later from <a href="/notifications/preferences" class="link">your notification preferences</a>.` The unsubscribe routes are in the PUBLIC group (platform/src/routes.php:506 `$router->get('/unsubscribe/{category}', …)` with no AuthMiddleware), but /notifications/preferences is inside the authenticated group (routes.php:775 `$router->group('', [… AuthMiddleware::class …]` … :1016 `$router->get('/notifications/preferences', …)`). A recipient who clicked the unsubscribe link straight from email (no active session) and then clicks 'your notification preferences' is redirected to the login page rather than reaching the preferences.

Suggested fix. Either gate the link text (only render the 'your notification preferences' link when $currentUser is set), or make the copy login-aware ('Sign in and visit your notification preferences to re-enable'), or after a successful POST land them on a page that offers re-subscribe inline so no authed route is required.

Filed by the automated tenant-app audit and adversarially evidence-verified. Status: verified. Open — not yet actioned.