Allow users to change their email addresses

[FinnWoelm]

Once users sign up, they currently cannot change their email address. We should allow users to update their email address.

There are two requirements:

• A confirmation email sent to the current email address, so that we can make sure the change is being made by the account owner (and not a hacker trying to gain control)
• A confirmation email sent to the new email address, so that we can confirm that the new email address is valid

[FinnWoelm]

Alternative approach:

Confirmation email is only sent to the new email address but email change must be confirmed by password. This allows for at least partial validation.

It leaves a key vulnerability in as so far as that a hacker with access to the user's password can get full control over the user's account. In the approach described above, they at least also need access to the user's email account.