- make the rate limiting for requesting password resets much more sensitive
NB: This rate limiting is applied per IP address.
- only allow 1 reset request at a time
NB: This is effectively a rate limit that is applied per user.
- try to mitigate timing attacks that may reveal a user's email address.
- Rewrite email body for password reset request to contain the username.
The username will be known to the person that requested the reset.
This should serve to reassure users that this is not a phishing mail.
- refactor to use time constants and proper errors
Changelog: Security