password reset flow for API user

[dwinston]

The Pain

Currently, API users without administrative privileges cannot change/reset/update their passwords (for use in password-based auth). For an administrator to reset a user's password, they currently

1. create a new temporary user, issue a direct database command to set the value of the requesting user's hashed password to that of the temporary user, and delete the temporary user (as @eecavanna reported doing in https://github.com/microbiomedata/nmdc-runtime/issues/311#issuecomment-1936729900), or
2. delete and recreate the user with the same username, etc.

The Dream

As an API user, instead of asking an admin to manually provide me with a new password, I want to reset my password through email/orcid verification by myself so that I have a new password to use (and securely save) within a few minutes.

The Fix (i.e., Acceptance Criteria)

• [ ] Given that I remember and still have access to the email address associated with my API user record, when I call a reset-password endpoint with my email address as a request parameter, then I'll get a one-time magic link via email from which I can render and save a new, secure password.
• [ ] Given that I remember and still have access to the ORCiD account associated with my API user record, when I call a reset-password endpoint while authenticated via the ORCiD auth flow, then I'll get a one-time magic link via JSON response from which I can render and save a new, secure password.

Alternatives Status quo. <joke>How often do users lose their passwords, anyway?</joke>

Additional context Private communication with @shreddd via NMDC Slack raising this issue.

[shreddd]

@dwinston - I think we could do something much simpler, and simply allow the admin an endpoint to update the user. I am prototyping an implementation for this.

[shreddd]

OK - I made a branch that implements an update_user endpoint:

See: https://github.com/microbiomedata/nmdc-runtime/compare/main...update_password

Couple of side notes

• I made a test function for the new code test_update_user to mirror test_create_user
• However I noticed we were skipping test_create_user - any idea why?
• I also noted a @retry decorator on the get_token function - wasn't clear why this was there and if this was related to the skip. FWIW tests are passing for me locally.