Oh hello, git.
I mean... "change 4e5882cb4b89bb084ba3a63d6060323a2b371f98".
Yeah. Hm.
Anyway, fix validation records so that we only store one and it
corresponds to the latest email address.
The validation record doesn't have an email address in it.
When we change the user's email address we create a validation record.
So, with the re-use, the following would work:
1) Set your email address to real.address@site.com, a validation email
is sent.
2) Don't click it! Instead, go back and change your email address to
fake.address@fakeyfake.com, another validation email is sent (but
bounces).
3) Click on the link in the first email. Ta-dah! You've "validated"
fake.address@fakeyfake.com!!
So: generate a new validation code every time we're asked to create
one for the user.
Right? Right?