Password reset email should be configurable

[SLaks]

https://github.com/lefnire/derby-auth/blob/master/index.js#L316-L322

HabitRPG shouldn't be hard-coded anywhere in this library.

Some other issues:

• The username and new password should be HTML-escaped
• This allows attackers to bother users by resetting their passwords every 5 minutes; you should have some kind of verification before resetting (or, better yet, a single-use expiring link in the email that lets the user enter a new password)

[SLaks]

I'm not using derby-auth at all; these are just issues that ought to be fixed.

[lefnire]

noted, marking up to important. Thank SLaks