Rationale
It is common for login forms to have a reset password link for users that have forgotten their password. This enables users to reset their password themselves without needing to contact the system administrator or support.
There have been several topics about this feature:
Proposal
The design should be similar to that implemented in the web_user module and follow these guidelines: Forgot Password - OWASP Cheat Sheet Series
A new anonymous RPC method common.db.reset_password will allow a user who is not logged in to request a password reset. A configuration setting will allow this to be deactivated if required.
When a password reset is started, the User.reset_password method will generate a temporary password and send it to the user via email. This password will expire after a set (configurable) amount of time. Any attempt to reset the password again before the temporary password expires is ignored.
Until a new password is set the user’s existing password continues to work. As soon as a new password is set any temporary passwords are cleared and will no longer work.
It seems like it only makes sense to allow “password” resets for the password session.authentications method. If other/additional authentication methods are in use then resetting the user’s “password” (or other login details) should probably be left to the administrator to do manually once they have verified the user’s identity.