[Feature]: Add "lock account" functionality for PNIDs

[jonbarrow]

Checked Existing

• I have checked the repository for duplicate issues.

What feature do you want to see added?

If a user logs in from an unknown device/location, send them an email alerting them of this new login. In the email should be a button the user can click which will lock the users PNID. Once the PNID is locked, it can NOT be used again, in any services, until a password reset is performed.

Why do you want to have this feature?

Linus from LMG was recently phished fairly easily, losing access to the LTT Twitter account. In order to try and prevent similar attacks against our users, adding the ability to lock the users account should be added.

Any other details to share? (OPTIONAL)

Relies on tracking user login habits and on #107 (for storing tokens to lock accounts).

While this would do little by itself to prevent phishing attacks, since attackers can always make fake password reset/account lock pages to emulate ours, if implemented correctly this could be used for swift account recovery.

Once implemented, the first time a user logs in they will get the "new login location" email since we would have no previous login data. If we implement the "lock PNID" links to never expire then the user will ALWAYS have a method to lock their account no matter how much time has passed, by simply using the link in this email. This means that:

• If a legitimate, stolen, login attempt is made the user will get a new, legitimate, email to lock their account
• If a fake email/page is shown to the users and they are phished, losing their account, then they can refer to a previous, legitimate, email to lock their account