Require password when modifying account recovery

tildes/tildes/templates/settings_account_recovery.jinja2

@@ -56,6 +56,11 @@
     <input class="form-input" id="email_address_note" name="email_address_note" placeholder="Description" maxlength="{{ note_max_length }}">
   </div>
 
+  <div class="form-group">
+    <label class="form-label col-4" for="password">Password</label>
+    <input class="form-input" id="password" name="password" type="password" placeholder="Password">
+  </div>
+
   <div class="form-buttons">
     <button class="btn btn-primary" type="submit">Save email address</button>
   </div>

tildes/tildes/views/api/web/user.py

@@ -70,13 +70,19 @@ def patch_change_password(
     request_param="ic-trigger-name=account-recovery-email",
     permission="change_settings",
 )
-@use_kwargs(UserSchema(only=("email_address", "email_address_note")), location="form")
+@use_kwargs(
+    UserSchema(only=("email_address", "email_address_note", "password")),
+    location="form",
+)
 def patch_change_email_address(
-    request: Request, email_address: str, email_address_note: str
+    request: Request, email_address: str, email_address_note: str, password: str
 ) -> Response:
     """Change the user's email address (and descriptive note)."""
     user = request.context
 
+    if not user.is_correct_password(password):
+        raise HTTPUnauthorized(body="Incorrect password")
+
     # If the user already has an email address set, we need to retain the previous hash
     # and description in the log. Otherwise, if an account is compromised and the
     # attacker changes the email address, we'd have no way to support recovery for the