Implement password reset flow for API users

[dwinston]

The Pain

Currently, API users without administrative privileges cannot change/reset/update their passwords (for use in password-based auth). For an administrator to reset a user's password, they currently

1. create a new temporary user, issue a direct database command to set the value of the requesting user's hashed password to that of the temporary user, and delete the temporary user (as @eecavanna reported doing in Write a script an admin could use to create and configure a new user account #311 (comment)), or
2. delete and recreate the user with the same username, etc.

The Dream

As an API user,
instead of asking an admin to manually provide me with a new password,
I want to reset my password through email/orcid verification by myself so that I have a new password to use (and securely save) within a few minutes.

The Fix (i.e., Acceptance Criteria)

• Given that I remember and still have access to the email address associated with my API user record, when I call a reset-password endpoint with my email address as a request parameter, then I'll get a one-time magic link via email from which I can render and save a new, secure password.
• Given that I remember and still have access to the ORCiD account associated with my API user record, when I call a reset-password endpoint while authenticated via the ORCiD auth flow, then I'll get a one-time magic link via JSON response from which I can render and save a new, secure password.

Alternatives
Status quo. <joke>How often do users lose their passwords, anyway?</joke>

Additional context
Private communication with @shreddd via NMDC Slack raising this issue.

[shreddd]

@dwinston - I think we could do something much simpler, and simply allow the admin an endpoint to update the user. I am prototyping an implementation for this.

[shreddd]

OK - I made a branch that implements an update_user endpoint:

See: main...update_password

Couple of side notes

• I made a test function for the new code test_update_user to mirror test_create_user
• However I noticed we were skipping test_create_user - any idea why?
• I also noted a @retry decorator on the get_token function - wasn't clear why this was there and if this was related to the skip.
  FWIW tests are passing for me locally.

[eecavanna]

Hi @shreddd, I'm going to create a draft PR from that branch so that we can annotate the changes with comments.

[eecavanna]

I created this draft PR (#779) and designated @dwinston as a reviewer of it. I could not designate myself as a reviewer, (I think) since I was the creator. I will review it now, though.