Self-service Password Reset: Rename to "Account Recovery" and audit/tidy

[HeyJoel]

When we add the ability for an admin user to reset a password, we should better clarify the naming of the current self-service "forgot password" feature, renaming it from "Password Reset" to "Account Recovery". We should also audit the functionality and check we're happy with how it works within the scope of the larger task to review User Areas as a whole.

[HeyJoel]

Fixed, will be released in v0.10:

• Self-service "Password Reset" renamed "Account Recovery" to avoid confusion with a forced password reset by an admin user.
• Account recoverycompletion date is now captured.
• Account recovery requests are now invalidated when a user logs in, changes their password or their contact email address is changed.
• ValidateUserAccountRecoverytRequestQuery now returns the standard ValidationQueryResult that uses error codes rather than an enum, which is better suited to API responses. The constants in UserAccountRecoverytErrorCodes.RequestValidation can be used in place of the enum to match codes if you need similar functionality.
• The reset url parameters have been combined into a single token to make it easier to consume. The database field "Token" has been renamed "AuthenticationCode" to differentiate it from the singular url token.
• Added UserSettings.AccountRecovery with configurable max attempts settings
• AuthenticationSettings.NumHoursPasswordResetLinkValid is now UserSettings.AccountRecovery.ValidityPeriod
• Moved the UrlBase parameter out of InitiateUserAccountRecoveryRequestCommand and into UserSettings.AccountRecovery.RecoveryUrlBase
• Urls in Mail templates now receive fully qualified urls in order to simplify templates.
• Password reset codes now evaluate in constant time to mitigate timing attacks