fix: sanity checks on user params

fixes #8801 (closed)

Includes a test reproducing 500 on lynx

We now make use of ActionController::Parameters require and permit methods.

Closes #8801 (closed)

app/controllers/api/users_controller.rb

@@ -53,7 +53,7 @@ module Api
     end
 
     def update
-      @user.account.update params[:user]
+      @user.account.update user_update_params
       respond_with @user
     end
 
@@ -67,6 +67,15 @@ module Api
 
     private
 
+    def user_update_params
+      params.require(:user).permit :login,
+        :password_verifier,
+        :password_salt,
+        :recovery_code_verifier,
+        :recovery_code_salt,
+        :public_key
+    end
+
     def release_handles
       current_user.is_monitor? || params[:identities] == "destroy"
     end