`/auth/changepassword` doesn't require secure access token

[Eldemarkki]

The API specification says that the /auth/changepassword endpoint requires a secured access token but in reality it doesn't. We should either remove the requirement from the API documentation, or change the logic to require it.

I'd recommend just removing it from the API docs and keeping the implementation as is, because the endpoint requires the same values as the secure access token generation endpoint, so requiring SAT for changing password doesn't really provide any benefits.