Add a new screen that allows a user to request a password reset in the event of lost password/username.
The screen will allow an unauthenticated user to enter an email address that they believe is associated with an account. The response to submitting this form will always be a screen telling the user that an email has been sent to the provided email address with instructions for account recovery. There will be no indication of whether or not the email address submitted is associated with an account.
The application will create a one-time use token and store it in the database. That token will be associated with the user account associated with the provided email address.
The email sent to the user will provide the username associated with the email address and a URL containing the one-time use reset token. Visiting this URL will check that the token is unused/unexpired. If it is then the user will be allowed to enter a new password for the account. If the token is invalid then the user will be allowed to request a new token.