reset password can be used to lock someone out of their account

[allain]

If I know your username, I can lock you out by creating a password reset request.

Yes, you'll get the email, but I can just keep requesting it. Why? Because you've insulted my family, and I'm a jerk.

I think the password reset should work a little differently to stop me from doing this:

1. check if username exists
2. generate password reset token and store it in the user's doc
3. send out password reset token via email
4. remove $resetPassword doc
5. hoodie.account.resetPassword('reset_token', 'new_secret') gets called and creates a new $resetPassword doc with token and the new password as properties.
6. check if username exists
7. set password if token in reset request matches one in the user's doc
8. remove $resetPassword doc

[gr2m]

@allain sorry for the long delay, we certainly should do a more sophisticated implementation as the one you suggest. Similar to signing up users that does not have an email confirmation routine at the moment.

If you'd like to contribute on that, please go ahead, we're very happy to support! Otherwise we'll get back on this one asap ourselves.