Resolve "Alternative change password api to use email backup code instead of old password"

Closes #19 (closed)

Review can be me explaining it.

The normal change password api requires the old password. This is just a variant of that which uses the backup email token instead.

If an attacker gained access to a user's email AND an auth token - they could change the user's data (but not decrypt unless they also had a private key somehow).

This includes some tests in the "Test the API, not the entire thing" style.