A new endpoint (/reset-password) is now available that a client app
can POST the email of a user that forgot his/her password. The POST
message should be "form-encoded" and contain a simple "email=..."
parameter.

The server subsequently sends an email to the user with a link
containing a random "code". When the user visits the link, s/he can
resets the password and after that another email is sent to the user
notifying her about the change.