User can reset their password
If a password is forgotten, a password reset can be requested. A reset link will be emailed to the associated email address.
NOTE: We should take care not to leak valid emails/users, i.e. always respond "A reset link has been sent to your account" even if the user does not exist.
Thought: Should this be done only upon admin validation?