Originally we used SHARED secret both for email and for the API. That
was a bad idea, and now that we're only using this value for one case,
I've renamed it to reflect its actual use.
After tinkering with this for about 2 hours, I'm reasonably sure this
ever worked. This feature was added by me in haste and poked by by the
occasional contributor, and it suffered from neglect.
* Removed the requirement for signature generation in favour of simply
requiring BasicAuth or a valid session id.
* Fixed a number of bugs in the form itself that would have ensured that
the form never accepted anything.
* Documented it all properly so now (hopefully) people will have less
trouble figuring it out in the future.
