Used dedicated email address change endpoint

refs https://github.com/TryGhost/Ghost/security/advisories/GHSA-65p7-pjj8-ggmr

We were originally overloading the signup/signin flow for changing email
addresses, which was a security flaw because this route is
unauthenticated. This functionality has been removed and replaced with a
dedicated flow.

ghost/portal/src/actions.js

@@ -262,7 +262,7 @@ async function updateMemberEmail({data, state, api}) {
     const originalEmail = getMemberEmail({member: state.member});
     if (email !== originalEmail) {
         try {
-            await api.member.sendMagicLink({email, oldEmail: originalEmail, emailType: 'updateEmail'});
+            await api.member.updateEmailAddress({email});
             return {
                 success: true
             };

ghost/portal/src/utils/api.js

@@ -171,6 +171,30 @@ function setupGhostApi({siteUrl = window.location.origin}) {
             });
         },
 
+        async updateEmailAddress({email}) {
+            const identity = await api.member.identity();
+            const url = endpointFor({type: 'members', resource: 'member/email'});
+            const body = {
+                email,
+                identity
+            };
+
+            return makeRequest({
+                url,
+                method: 'POST',
+                headers: {
+                    'Content-Type': 'application/json'
+                },
+                body: JSON.stringify(body)
+            }).then(function (res) {
+                if (res.ok) {
+                    return 'Success';
+                } else {
+                    throw new Error('Failed to send email address verification email');
+                }
+            });
+        },
+
         async checkoutPlan({plan, cancelUrl, successUrl, email: customerEmail, name, metadata = {}} = {}) {
             const siteUrlObj = new URL(siteUrl);
             const identity = await api.member.identity();