client should have a recovery token

[scusi]

The client/user should get a token up on registering which can be used to:

• delete the secureShare server account
• set new minilock keys for a given userID in case the current minilock keys are not available anymore to the user.

[scusi]

the server does issue the RecoveryToken to the client. the server must only keep an scrypted hash of the issued token and the salt used to scrypt the token

Up on usage of the token by the user, the server verifies:

• the token is valid by comparing the hash of the actual token with the stored hash
• AND that the token has not been used before

If token is valid and has not been used already the requested action is performed and the token is marked as used.

Based on the requested action the client/user gets issued a new recovery token. If the requested action was an account deletion no new token will be issued.