SuperTokens is an open source authentication solution offering features like: Different types of login: Email / password, Passwordless (OTP or Magic link based).

SuperTokens.com

How to change user email?
Recipe: EmailPassword (later I'll move to ThirdPartyEmail recipe, so just want to learn the fundamentals here)

There is a function for that in the email password recipe

https://supertokens.com/docs/nodejs/modules/recipe_emailpassword.html#updateEmailOrPassword-1

This covers authentication itself or is it the responsibility of the backend to verify session and match current email first and then call this method?

Well. You should call this from an API that does session verification

So you know that the user is logged in and then they are changing their email