refactor send_user_email and gen_email_token interfaces
they're now generally safer against misuse. commits contain descriptions of the main interface changes and why they're done.
send_email
is a raw interface that can't provide a lot of safety, larger work on email (like having a delivery queue) would be larger work in a separate issue.
fixes a bug where password resets would not work at all and report a 200 status code, as we gave the wrong argument to send_user_email.
Edited by luna