auth: Reset failed authentication attempts on password reset.

It's natural that someone might try a wrong password 5 times, and then
go through a successful password reset; forcing such users to wait
half an hour before typing in the password they just changed the
account to seems unnecessarily punitive.

Clear the rate-limit upon successful password change.

zerver/lib/actions.py

@@ -4529,6 +4529,11 @@ def do_change_password(user_profile: UserProfile, password: str, commit: bool =
     user_profile.set_password(password)
     if commit:
         user_profile.save(update_fields=["password"])
+
+    # Imported here to prevent import cycles
+    from zproject.backends import RateLimitedAuthenticationByUsername
+
+    RateLimitedAuthenticationByUsername(user_profile.delivery_email).clear_history()
     event_time = timezone_now()
     RealmAuditLog.objects.create(
         realm=user_profile.realm,

zerver/tests/test_auth_backends.py

@@ -42,6 +42,7 @@ from social_django.strategy import DjangoStrategy
 from confirmation.models import Confirmation, create_confirmation_link
 from zerver.lib.actions import (
     change_user_is_active,
+    do_change_password,
     do_create_realm,
     do_create_user,
     do_deactivate_realm,
@@ -673,6 +674,11 @@ class RateLimitAuthenticationTests(ZulipTestCase):
                     # But the third attempt goes over the limit:
                     with self.assertRaises(RateLimited):
                         attempt_authentication(username, wrong_password)
+
+                    # Resetting the password also clears the rate-limit
+                    do_change_password(expected_user_profile, correct_password)
+                    self.assertIsNone(attempt_authentication(username, wrong_password))
+
             finally:
                 # Clean up to avoid affecting other tests.
                 RateLimitedAuthenticationByUsername(username).clear_history()