Make sure we correctly handle password reset from logged-in users

The password reset page is an unauthenticated endpoint. We might need to either make a separate endpoint for users who change their password while logged in, or have authentication be optional on the password reset endpoint and adjust our flow accordingly. Test the current behavior and optimize it to handle both the authed and unauthed case.