[1.5.12?] CVE-2021-29023: password reset rate limiting

[zeitschlag]

InvoicePlane 1.5.11 doesn't have any rate-limiting for password reset and the reset token is generated using a weak mechanism that is predictable.

• cve.mitre.org
• Exploit

[zeitschlag]

The idea is to do two things as a quick fix:

• We not only check if there's a user with this mail, but also if there's already a password reset token stored in the database for them. If so, we don't generate a new one. (L. 169)
• To harden things, we add a salt when it comes to hashing.

Feel free to add your thoughts :)

[UnderDogg]

See PR #743

[nielsdrost7]

refs #739