Password reset email should be configurable #35
Description
https://github.com/lefnire/derby-auth/blob/master/index.js#L316-L322
HabitRPG shouldn't be hard-coded anywhere in this library.
Some other issues:
- The username and new password should be HTML-escaped
- This allows attackers to bother users by resetting their passwords every 5 minutes; you should have some kind of verification before resetting (or, better yet, a single-use expiring link in the email that lets the user enter a new password)