Thoughts:

If config option online_password_recovery (or somesuch) is set, have
roundup/cgi/actions.py:PassResetAction::handle() destroy the OTK.

Generate/save a new OTK (1) with a short lifetime (10 minutes??) to be
used as an authenticator for the user.

Then raise a redirect to the user.pwreset.html template with a new
OTK.

The pwreset template replicates only the password fields from the
user.item.html template. It submits to the pwreset action.

Create a new action: ResetPassword that expects the OTK and passwords.
Sets the password of the user in the OTK if both passwords are the
same. Destroys the OTK.

If passwords aren't the same, redirect to the pwreset template
reporting password mismatch. Not sure if this needs a new OTK or can
reuse OTK (1).  Need to limit this cycle. Consider regenerating OTK
with counter. So OTK (2) has a counter=2 and limit to 3 or 5
attempts. Then user needs to go back to generating email with OTK.