This might be a security concern, even though the user will have to
provide an email to retrieve user information.
This functionality is needed by Team management functionality because
expecting users to add a user by id is hard.
TODO: explore other options. Maybe add public profiles and request the
user to go to the profile to invite a user to team?
Also fix CSRF token. This was probably broken since csurf middleware was
modified to use cookie instead of session storage to provide support for
single page app (SPA).
