Always invalidate all user email tokens

Reported by B. Dhiyaneshwaran of Geek Freak.

src/User/Command/ConfirmEmailHandler.php

@@ -53,7 +53,8 @@ class ConfirmEmailHandler
         $user->save();
         $this->dispatchEventsFor($user);
 
-        $token->delete();
+        // Delete *all* tokens for the user, in case other ones were sent first
+        $user->emailTokens()->delete();
 
         return $user;
     }

src/User/User.php

@@ -614,6 +614,16 @@ class User extends AbstractModel
         return $this->hasMany('Flarum\Notification\Notification');
     }
 
+    /**
+     * Define the relationship with the user's email tokens.
+     *
+     * @return \Illuminate\Database\Eloquent\Relations\HasMany
+     */
+    public function emailTokens()
+    {
+        return $this->hasMany(EmailToken::class);
+    }
+
     /**
      * Define the relationship with the permissions of all of the groups that
      * the user is in.