Use g_reauthentication_expiry to set token timeout

The timeout of the account verification token (TOKEN_ACCOUNT_VERIFY) is
now set based on the $g_reauthentication_expiry config, instead of the
TOKEN_EXPIRY_AUTHENTICATED constant.

With default settings this does not change the system's behavior, but
ensures there is a consistent timeout with other "secure" pages that
require reauthentication and allows the admin to change the timeout,
which was not possible before.

The timeout is applied regardless of whether reauthentication is
enabled or not.