Changing the email address invalidates the current tokens, but
- doesn't warn the user about this
- doesn't mark invalid tokens in the Token List.
- the session token in use also becomes invalid, user should be redirected to login screen (and warned about this).
Changing the email address invalidates the current tokens, but