Allow password reset email to be sent to any verified email address

Description

Currently the password reset email is only sent to the primary email address. If a user loses access to their primary email address, they should still be able to receive the password reset email if they have a secondary email address in their profile.

Proposal

Send the password reset email to whichever email address the user has requested as long as it is verified

This is somewhat tricky because we're overriding Devise behavior. Devise uses the Recoverable#send_reset_password_instructions_notification method to send the notification. Inside that method it uses send_devise_notification. By default it sends empty opts, but the opts hash should accept a to value.

I think we can override the method by creating User#send_reset_password_instructions_notification and calling the same send_devise_notification method with our own to values. We should only send to confirmed email addresses.

For details, see:

• Required code changes: #16311 (comment 546239035)
• User/email flow: #16311 (comment 547052525)

Please update the description as refinement occurs.

Implementation note

This feature should be configurable at the instance level. Admins should have the ability to keep the existing behaviour of only allowing password resets to be sent to the primary email address.