Fix internal email bypasses
Added a check to prevent changing email to an internal email, and fixed an internal email registration bypass.
Perhaps we should also prohibit password login for internal emails (in production).
Closes #571
Closes #577