Update user's email and password in EmailPassword

[dulowski-marek]

Goal

User should be able to update their email and password.

Problems and assumptions

1. Session validation - What should happen with existing sessions if the user changes their password? It seems that we should revoke all the existing sessions, as they were established using an old grant (old password).
2. API structure - Should this be one request (endpoint)? I think that changing the email without changing password is a valid usecase. This makes me think that those should be separate endpoints, or at least separate routine (business logic).
   • What should happen with existing sessions if user changes their email? Should they be invalidated as well?
3. Permissions - Is changing the user's email/password by somebody else (e.g. admin) on our roadmap? If so, we should structure the API in a way that separates identifying a user the credentials are changed for from determining permissions for actor requesting the change.

The same problem as in Delete User API is present as well. How are the backend SDK requests authorized in core?
4. Second factor authorization - Are there scenarios in which we should send a verification link (email, sms, notification) to authorize the change? Should this be done by core or backend SDK?