Link for password reset

Currently, when a user requests a password change, the password is changed to a new random value by the server and the newly generated password is emailed to the user. This is non-standard and also is problematic if a user doesn't receive the new password email for any reason.

The workflow should be as follows (see guest browsing/invites for a sample implementation):

1. User requests a password reset.
2. User receives an email with a unique and difficult to guess link code (similar to invite codes, ie. https://proxy/reset_password?code=01234567890123456789)
    2a. The link expires after a time period that is configured in config.php (default to one week).
           (See invitation_ttl or email_candidate_ttl for sample implementation)
3. User browses to that link.
    3a. This page must be set as "noauth" in httpd.conf.
    3b. The link is only valid for all proxies to which the user is currently assigned.
    3c. This page must return 404 if the link code is invalid or not present.
4. User is presented with two fields to enter and confirm a new password.
5. If the two entered passwords match, the password is changed for the user.
6. The user is brought to the login screen.