refactor send_user_email and gen_email_token interfaces

they're now generally safer against misuse. commits contain descriptions of the main interface changes and why they're done.

send_email is a raw interface that can't provide a lot of safety, larger work on email (like having a delivery queue) would be larger work in a separate issue.

fixes a bug where password resets would not work at all and report a 200 status code, as we gave the wrong argument to send_user_email.