AuthManager: Don't invalidate BotPasswords if a password reset email is sent

There's a difference between addition of credentials, which doesn't
need to invaliate BotPasswords, and changing or removal of credentials,
which does.

It seems most straightforward for the caller of
AuthManager::changeAuthenticationData() to know which is intended, so
let's add a flag there.

Bug: T199809
Change-Id: Ib8405734e605b94f3f0b66596ad95784cb365e4f