Store mail token inside session instead of behind redis key

[aktiur]

Currently, the mail token is stored directly inside Redis.

It means that it's entirely possible to start the auth process on one device, and then follow the confirmation link on another device, which may break the OAuth process.

For this reason, the mail token should be stored inside the session, ensuring that the second part of the process will happen on the same device that the first part.