This can be reviewed commit-by-commit:

• Stop writing to the old email confirmation-related tables
• Allow removing email addresses in bulk
• Remove user emails when deactivating a user
• Add a deactivated_at flag on users
• Repository method to deactivate a user.
• Mark the user as deactivated in the user deactivation job
• Better error pages when a user is deactivated or locked
• Proper error when the account is deactivated or locked on upstream SSO login
• syn2mas: import the deactivation and locked status independently

There are three big parts of this:

• now deactivation will remove any email addresses that are associated with the user
• deactivation is now a permanent flag, separate from the locked flag
• we now display nice pages to the user when their account is deactivated, locked, or if the session has been remotely logged out

It also fixes an 'oopsie' that syn2mas did not actually import the 'locked' status of a user.

The three things that still need doing:

• right now we still show an 'invalid credentials' error on password login instead of the proper 'your account is locked/deactivated' page
• now we show an error if your session was remote-logged out. That can potentially confuse users using the session timeout feature? not sure about this one
• we loose the context of what we were doing when we show the fallback pages right now. We should initiate a logout with the right 'post auth action', so that the user can try logging back in with another account and continue doing whatever they were doing

The new screens look like this: