The password reset email that is sent includes a one time key (OTK) to
reset the password. This OTK doesn't look like it is time
limited. It should be unusable after some period of time set in
the config file. This prevents replay of old unused password reset
emails.

Add new option [main] password_reset_timeout_in_sec. Value is the
number of  seconds after which the password reset OTK is ignored.
Default 24 hours.

Note that time is truncated to nearest minute (we don't want to explain 
to user that lifetime is 1h12m3s).

Change roundup/cgi/actions.py: PassResetAction::handle() to check
__timestamp value for the one time key. If difference between
__timestamp and current time is greater than the timeout,
report that it has expired using add_error_message. If __timestamp
is not available store the time.time() value in the OTK when
creating it.

Update reset email text to include timeout info in hours/minutes.

Update new password email to include the tracker url and a
recommendation to log in and change the password.

See: 
https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet
.html

It is time limited. The __timestamp property is set to now and that means
it gets deleted in a week by the Client::clean_up method called during web page 
load.

However being able to control that with a config setting would be good.