Email verification feature incomplete (is_verified field unused)

[gzark1]

Description

The is_verified field exists on the User model and email verification endpoints exist, but the feature is non-functional and the field is never used for access control.

Steps to Reproduce

1. Register a new user - is_verified is False
2. Call POST /auth/request-verify-email - returns 202 but no email sent
3. User has no way to get verification token
4. User can access all features despite is_verified=False

Expected Behavior

Either:

• Email verification should work (send email, user verifies, gains access to features)
• Or is_verified should be removed/hidden if not needed

Actual Behavior

• is_verified=False for all users (except seeded admin)
• No email sent when requesting verification
• Nothing in the app checks is_verified - users have full access regardless
• Field is only displayed in admin UI

Root Cause

1. No email backend configured
2. on_after_request_verify hook not implemented in UserManager
3. No routes use current_verified_user dependency - only current_active_user is used
4. No frontend UI for email verification

Files involved:

• backend/api/auth.py:38-42 - mounts verify_router
• backend/core/user_manager.py - missing on_after_request_verify hook
• backend/core/users.py - only defines current_active_user, not current_verified_user

Possible Solutions

1. Option A: Implement full email verification

   • Configure email backend
   • Implement on_after_request_verify hook
   • Add frontend verification UI
   • Decide which routes require verified users and use current_verified_user

2. Option B: Remove if not needed

   • Don't mount get_verify_router()
   • Remove is_verified from API responses (or document it's not used)
   • Keep field in DB for potential future use