restrict sign in to browser initiating sign in

[thoughtafter]

Currently the token can be used from anywhere. It would be possible to store a secret as a cookie so that only the browser initiating the sign in can use the transmitted token. However, this seems like an unlikely threat. The scenario that this seems to fix is an attacker who has not compromised the email but can intercept the email and use it before the user does. This would allow the attacker to access the account.