feature request: password reset link in email rather than temp password

[stevenolen]

A big user complaint is having to copy/paste the temp password that gets sent in order to log in again. It is a bit awkward and novice users have trouble with this action. It's a much more common procedure to send a one-time password reset link that, if clicked during the short window, will allow the user to set a new password. Current and proposed flows below:

Current flow:

• user forgets password
• user enters username and email and client sends request to user/reset_password
• (assuming user exists) server generates password, marks account as new_account and sends password to user via email
• user copies password from email and logs in with this user/pw combo
• since new_account is set, user is forced to change password

Proposed flow:

• user forgets password
• user enters username and email and client sends request to user/reset_password
• (assuming user exists) server generates a password reset code (which expires in 30 minutes) and sends link to user.
• user clicks link in email and is directed to client to set a new password.
  • this should work similarly to the user/activate api -- the generated link allows the frontend to query an endpoint to see if the request was successful and if so, prompt user to set a new password.
• Once reset the user will need to log in again, as the process wont contain the user's username

Thoughts?