Reset password from token

[si]

Final part of forgotten email user journey now that email is sent to the user with a token to reset it.

COA

1. Token must still be valid (decode, split by colon, check date is today)
2. User must enter password twice
3. New password must be validated
4. Token is cleared out once complete
5. Email sent to user of updated password
6. Session flash tells user their password is updated