Add settings for mail_validation to allow for reusable and time-expiring codes

[scottp-dpaw]

We have a number of apps deployed with PSA set up in email authentication mode. For the most part it works okay, but since the introduction of single-use code verification the process falls over for a small number of users:

• User asks for a verification email to log in
• Verification email is sent to the user with a code
• Awful security appliance on user's network intercepts the email/the user's session and visits the link first, eating the session cookie
• Awful security appliance gets a 302 and hands that back to the user
• User gets told that their token has expired and to try again
• Repeat

To fix this, we've added two optional settings:

• EMAIL_VALIDATION_ALLOW_REUSE (bool): validate_email() will not return False for verified codes
• EMAIL_VALIDATION_EXPIRED_THRESHOLD (int): validate_email() will return False if the code has a timestamp and is more than [int] seconds in the past

[GregoryAveryWeir]

We've run into this issue with a user; I'm not sure if this is the correct solution, but the PR or an alternate solution should be considered.