Fix #4555: Invalidate sessions for deleted users

Fix three exploits that allowed one to keep using their account after it was deleted:

* It was possible to use session cookies from another computer to login after you deleted your account.
* It was possible to use API keys to make API requests after you deleted your account.
* It was possible to request a password reset, delete your account, then use the password reset link
  to change your password and login to your deleted account.

test/functional/passwords_controller_test.rb

@@ -33,6 +33,18 @@ class PasswordsControllerTest < ActionDispatch::IntegrationTest
         assert_equal(true, @user.user_events.password_change.exists?)
       end
 
+      should "not update the password when a deleted user tries to reset their password with a valid login key" do
+        @user.update!(is_deleted: true)
+        old_password = @user.bcrypt_password_hash
+
+        signed_user_id = Danbooru::MessageVerifier.new(:login).generate(@user.id)
+        put_auth user_password_path(@user), @user, params: { user: { password: "abcde", password_confirmation: "abcde", signed_user_id: signed_user_id } }
+
+        assert_response 403
+        assert_equal(old_password, @user.reload.bcrypt_password_hash)
+        assert_equal(false, @user.user_events.password_change.exists?)
+      end
+
       should "allow the site owner to change the password of other users" do
         @owner = create(:owner_user)
         put_auth user_password_path(@user), @owner, params: { user: { password: "abcde", password_confirmation: "abcde" } }